In short, it is not possible to replace engine sso service with an out of the box oauth2 or OIDC end point.
We have a few custom end points that improve the performance of engine and also help with authz searches which is used to assign permissions to users/groups on engine side. On Wed, Jul 4, 2018 at 10:12 AM, Martin Perina <mper...@redhat.com> wrote: > > > On Wed, Jul 4, 2018 at 3:06 PM, Hari Prasanth Loganathan <hariprasanth.l@ > msystechnologies.com> wrote: > >> Hi Martin, >> >> Thanks for pointing this url. >> >> 1) Based on this post, I created a client id using the >> 'ovirt-register-sso-client-tool' >> >> >> select * from sso_clients; >> >> 3 | *test* | eyJhcnRpZmFjdCI6IkVudmVsb3BlUE >> JFIiwic2FsdCI6IjFuYktJa3JrWEFCc2R5NzNnNFIrc09NWitGNHI1dW5UY2 >> s1U2t3cWlCMGs9Iiwic2VjcmV0 >> IjoiRTVwNExDQXpxenhGSHFxdmQwNDhTNDRkN3dNMEwrZVQrYTZlK3lXR044 >> VT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3Jp >> dGhtIjoiUEJLREYyV2l0aEh >> tYWNTSEExIn0= | http://172.30.39.176:9090/api/auth/sso | >> /root/ssl/ssl/certificate.pem | >> >> | oVirt Engine Client | | openid >> ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity >> ovirt-ex >> t=token:password-access ovirt-ext=auth:sequence-priority >> ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search >> ovirt-ext=token-info >> :public-authz-search ovirt-ext=token-info:validate >> ovirt-ext=revoke:revoke-all | t | TLS | >> f >> | t >> >> >> >> I will store this sso_client information in my application too. >> >> >> 2) Is it possible to use *JUST* this 'client_id' and 'client_secret' to >> communicate from my application to oVirt instead of oVirt token? >> >> I mean like My_Application ---> (using client id - test) oVirt >> API >> > > I don't think so, the client id/secret is used only to authenticate OIDC > client to the OIDC server, and not real client to the application using > SSO. But leaving this final answer to this question to Ravi, he is our > expert on OIDC. Ravi? > > >> >> Thanks, >> Hari >> >> >> >> >> >> >> On Wed, Jul 4, 2018 at 5:32 PM, Martin Perina <mper...@redhat.com> wrote: >> >>> >>> >>> On Wed, Jul 4, 2018 at 1:54 PM, Hari Prasanth Loganathan < >>> hariprasant...@msystechnologies.com> wrote: >>> >>>> Okay Thanks Martin. >>>> I already come across this blog but curious any way to point the >>>> authentication and authorization to my HTTP URL. so that I don't want to >>>> depend on the ovirt token. >>>> >>> >>> There's no way how to replace oVirt SSO with different implementation, >>> you need to use oVirt token. >>> >>> But other than relying on Apache you could also configure your >>> application as OpenID Connect client to oVirt SSO similarly as it's >>> described for Kibana/Elastic search integration: >>> >>> https://www.ovirt.org/blog/2017/05/openshift-openId-integrat >>> ion-with-engine-sso/ >>> >>> Then you would have only single token for both your application and oVirt >>> >>> >>>> >>>> >>>> >>>> >>>> On Wed, Jul 4, 2018 at 5:04 PM, Martin Perina <mper...@redhat.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Jul 4, 2018 at 12:02 PM, Hari Prasanth Loganathan < >>>>> hariprasant...@msystechnologies.com> wrote: >>>>> >>>>>> Hi Team, >>>>>> >>>>>> I want oVirt to point to my Authentication / Authorization HTTP URL, >>>>>> so I modified the following property in >>>>>> */etc/ovirt-engine/engine.conf.d/11-setup-sso.conf* >>>>>> >>>>>> >>>>>> #ENGINE_SSO_AUTH_URL="https://${ENGINE_FQDN}:443/ovirt-engine/sso" >>>>>> ENGINE_SSO_AUTH_URL="http://172.30.39.176:9090/api/auth/sso" >>>>>> >>>>>> #SSO_ENGINE_URL="https://${ENGINE_FQDN}:443/ovirt-engine/" >>>>>> SSO_ENGINE_URL="http://172.30.39.176:9090/api/auth/" >>>>>> >>>>>> >>>>> >>>>>> I verified in the log and found the following message : >>>>>> >>>>>> engine.log:2018-07-04 15:12:46,238+05 INFO >>>>>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService >>>>>> Thread Pool -- 42) [] Value of property 'ENGINE_SSO_AUTH_URL' is ' >>>>>> http://172.30.39.176:9090/api/auth/sso'. >>>>>> engine.log:2018-07-04 15:12:46,244+05 INFO >>>>>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService >>>>>> Thread Pool -- 42) [] Value of property 'SSO_ENGINE_URL' is ' >>>>>> http://172.30.39.176:9090/api/auth/'. >>>>>> >>>>>> >>>>>> But still it is not point to my Authentication URL, Is there any >>>>>> other change we need to make to point the oVirt Authentication to my HTTP >>>>>> URL? >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> what exactly are you trying to achieve? To change URL where engine is >>>>> available or to replace existing oVirt SSO module with custom >>>>> implementation? If the latter, then this is not supported. >>>>> >>>>> But if you need to configure additional authentication methods, for >>>>> example kerberos SSO or CAS, you can do this using combination of Apache >>>>> with relevant modules + ovirt-engine-extension-aaa-lda >>>>> p/ovirt-engine-extension-aaa-misc packages: >>>>> >>>>> https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blo >>>>> b/master/README >>>>> https://github.com/oVirt/ovirt-engine-extension-aaa-misc/blo >>>>> b/master/README.http >>>>> https://www.ovirt.org/blog/2016/04/sso/ >>>>> >>>>> Regards >>>>> >>>>> Martin >>>>> >>>>> >>>>>> >>>>>> Thanks, >>>>>> Hari >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list -- users@ovirt.org >>>>>> To unsubscribe send an email to users-le...@ovirt.org >>>>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>>>> oVirt Code of Conduct: https://www.ovirt.org/communit >>>>>> y/about/community-guidelines/ >>>>>> List Archives: https://lists.ovirt.org/archiv >>>>>> es/list/users@ovirt.org/message/NZKOGON5PKXSE47J25X72WYCOIGOJ3NW/ >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Martin Perina >>>>> Associate Manager, Software Engineering >>>>> Red Hat Czech s.r.o. >>>>> >>>> >>>> >>> >>> >>> -- >>> Martin Perina >>> Associate Manager, Software Engineering >>> Red Hat Czech s.r.o. >>> >> >> > > > -- > Martin Perina > Associate Manager, Software Engineering > Red Hat Czech s.r.o. >
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/JVNHPDKXRR5KY3F4HQY3GSLZ6IHEG2TC/