Re: Using Syncope REST endpoints with a OIDC authorizationCode

Fri, 25 Mar 2022 22:55:11 -0700 

On 25/03/22 18:06, Lionel SCHWARZ wrote:

Dear all,

Considering I have enabled the OIDC extension and properly configured my OIDC 
provider (keycloak), and considering I am able to retrieve from this provider 
an AuthorizationCode, how it is possible for me to use the REST endpoints using 
this authorization code?


Hi Lionel,
the OpenID Connect client extension [1] is designed to work for UI (Console, 
Enduser), not for REST endpoints.

In fact, the extension adds some components that from one side implement the 
OIDC protocol communications in the UI itself, while using existing Syncope 
constructs and components on the other side.
The overall OIDC client authentication process initiated by Syncope Console or 
Enduser ends up into getting an ordinary Syncope JWT to authenticate REST calls 
to Core.

FYI, the SAML 2.0 extension [2] works in the same way.

It is indeed possible to authenticate REST calls by passing JWT values 
different than the ones generated by Syncope itself after authentication, by 
providing  JTWSSOProvider [3] implementations.

Essentially, an implementation will need to provide at least two things:

1. the JWT issuer value to match, for which the class will be invoked by Syncope

2. a mean to resolve the JWT claims into and existing Syncope user

It can also do other things, like using a different signature verification.

Syncope itself is using an implementation as such for default JWT format [4].
You can also look at an example in the test code [5].

Hope this helps.
Regards.

[1] 
https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client
[2] 
https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider
[3] https://syncope.apache.org/docs/2.1/reference-guide.html#jwtssoprovider
[4] 
https://github.com/apache/syncope/blob/syncope-2.1.11/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
[5] 
https://github.com/apache/syncope/blob/syncope-2.1.11/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply via email to