On 25/03/22 18:06, Lionel SCHWARZ wrote:
Dear all,
Considering I have enabled the OIDC extension and properly configured my OIDC
provider (keycloak), and considering I am able to retrieve from this provider
an AuthorizationCode, how it is possible for me to use the REST endpoints using
this authorization code?
Hi Lionel,
the OpenID Connect client extension [1] is designed to work for UI (Console,
Enduser), not for REST endpoints.
In fact, the extension adds some components that from one side implement the
OIDC protocol communications in the UI itself, while using existing Syncope
constructs and components on the other side.
The overall OIDC client authentication process initiated by Syncope Console or
Enduser ends up into getting an ordinary Syncope JWT to authenticate REST calls
to Core.
FYI, the SAML 2.0 extension [2] works in the same way.
It is indeed possible to authenticate REST calls by passing JWT values
different than the ones generated by Syncope itself after authentication, by
providing JTWSSOProvider [3] implementations.
Essentially, an implementation will need to provide at least two things:
1. the JWT issuer value to match, for which the class will be invoked by Syncope
2. a mean to resolve the JWT claims into and existing Syncope user
It can also do other things, like using a different signature verification.
Syncope itself is using an implementation as such for default JWT format [4].
You can also look at an example in the test code [5].
Hope this helps.
Regards.
[1]
https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client
[2]
https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider
[3] https://syncope.apache.org/docs/2.1/reference-guide.html#jwtssoprovider
[4]
https://github.com/apache/syncope/blob/syncope-2.1.11/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java
[5]
https://github.com/apache/syncope/blob/syncope-2.1.11/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/