Thanks Francesco for this very detailed answer. This is indeed what I suspected but I was not 100% sure Best regards Lionel
----- Le 26 Mar 22, à 6:55, Francesco Chicchiriccò ilgro...@apache.org a écrit : > On 25/03/22 18:06, Lionel SCHWARZ wrote: >> Dear all, >> >> Considering I have enabled the OIDC extension and properly configured my OIDC >> provider (keycloak), and considering I am able to retrieve from this provider >> an AuthorizationCode, how it is possible for me to use the REST endpoints >> using >> this authorization code? > > Hi Lionel, > the OpenID Connect client extension [1] is designed to work for UI (Console, > Enduser), not for REST endpoints. > > In fact, the extension adds some components that from one side implement the > OIDC protocol communications in the UI itself, while using existing Syncope > constructs and components on the other side. > The overall OIDC client authentication process initiated by Syncope Console or > Enduser ends up into getting an ordinary Syncope JWT to authenticate REST > calls > to Core. > > FYI, the SAML 2.0 extension [2] works in the same way. > > It is indeed possible to authenticate REST calls by passing JWT values > different > than the ones generated by Syncope itself after authentication, by providing > JTWSSOProvider [3] implementations. > > Essentially, an implementation will need to provide at least two things: > > 1. the JWT issuer value to match, for which the class will be invoked by > Syncope > > 2. a mean to resolve the JWT claims into and existing Syncope user > > It can also do other things, like using a different signature verification. > > Syncope itself is using an implementation as such for default JWT format [4]. > You can also look at an example in the test code [5]. > > Hope this helps. > Regards. > > [1] > https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client > [2] > https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider > [3] https://syncope.apache.org/docs/2.1/reference-guide.html#jwtssoprovider > [4] > https://github.com/apache/syncope/blob/syncope-2.1.11/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java > [5] > https://github.com/apache/syncope/blob/syncope-2.1.11/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/