Re: Bearer authentication for SCIM v2 extension endpoints?

Fri, 09 Dec 2022 03:23:21 -0800 

On 09/12/22 11:40, Philipp Trenz wrote:

Dear Syncope community,

I’m searching for a solution to provision users from Azure AD into a local 
Windows AD. Syncope looks very promising for this use case and I’m about to 
setup a Proof of Concept. For configuring Azure AD against the SCIMv2 
extension, a static bearer authentication token is required. The default 
authentication method for the scim endpoints seem to be JWT, though.

TL;DR: How can I configure a static Bearer token for authentication against the 
SCIM v2 extension?


Hi Philipp,
glad of your interest in Apache Syncope.

The authentication configuration for all REST endpoints exposed by Core is 
defined by [1] so, in case you really want to dig into this topic or override 
some bean definition(s) into your project, that is definitely the starting 
point.

I am reading from [2] that Azure AD  is using an OAuth 2.0 bearer token, which 
should still be in JWT format.
If this is the case, my suggestion is to add to your project an implementation 
of JWTSSOProvider [3].

The purpose of a JWTSSOProvider is to:

1. validate the provided "Authorization: Bearer" value, in the verify() method
2. resolve the extracted claims into an internal Syncope User, in the resolve() 
method

You can look at a sample implementation [4] or the one that is actually in use 
by default [5].

The typical use case for additional JWTSSOProvider implementations is to allow 
to use JWT values not generated by Syncope itself to authorize access to 
Syncope REST endpoints.

HTH
Regards.

[1] 
https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java
[2] 
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication
[3] https://syncope.apache.org/docs/3.0/reference-guide.html#jwtssoprovider
[4] 
https://github.com/apache/syncope/blob/master/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java
[5] 
https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply via email to