Commit 1d14f555 authored by Dominik Pilár's avatar Dominik Pilár Committed by Tomáš Sapák
Browse files

Refactoring - configuration of the OIDC providers.

parent 48019d5f
......@@ -52,19 +52,17 @@ kypo_crp_oidc_providers: '{{ [kypo_crp_oidc_local_provider] }}'
# # The label that is displayed as an option for authentication.
# - label: Login with Example issuer
#
# # The URL of resource server configuration.
# # The URL of the identity provider.
# url: https://example.com:443/issuer
#
# # The ID of OIDC client.
# client_id: alpha-num-string
#
# # The ID of resource client.
# resource_client_id: alpha-num-string
# # (Optional) The claim that identifies the identity provider. This is needed only when the 'iss' claim provided in JWT is different from 'url' configured above.
# issuer_identifier: url
#
# # The secret for resource client `resource_client_id`.
# resource_client_secret: alpha-num-string
# # (Optional) The URL used to retrieve details about the user from OIDC provider. If not provided, the URL is obtained from the well-known OpenID configuration.
# user_info_url: https://graph.microsoft.com/oidc/userinfo
#-------------------------------------------------------------------------------
# Initial Users
......
......@@ -23,19 +23,19 @@ kypo_crp_docker_services:
user_and_group:
restart_policy: unless-stopped
image: registry.gitlab.ics.muni.cz:443/muni-kypo-crp/kypo-crp-artifact-repository/kypo-uag-service
image_tag: 'v1.1.79'
image_tag: 'v1.1.81'
sandbox_service:
restart_policy: unless-stopped
image: registry.gitlab.ics.muni.cz:443/muni-kypo-crp/kypo-crp-artifact-repository/kypo-sandbox-service
image_tag: 'v0.11.1'
image_tag: 'v0.12.0'
training:
restart_policy: unless-stopped
image: registry.gitlab.ics.muni.cz:443/muni-kypo-crp/kypo-crp-artifact-repository/kypo-training-service
image_tag: 'v1.1.74'
image_tag: 'v1.1.75'
adaptive_training:
restart_policy: unless-stopped
image: registry.gitlab.ics.muni.cz:443/muni-kypo-crp/kypo-crp-artifact-repository/kypo-adaptive-training-service
image_tag: 'v1.0.40'
image_tag: 'v1.0.41'
smart_assistant:
restart_policy: unless-stopped
image: registry.gitlab.ics.muni.cz:443/muni-kypo-crp/kypo-crp-artifact-repository/kypo-adaptive-smart-assistant-service
......@@ -47,7 +47,7 @@ kypo_crp_docker_services:
elasticsearch_service:
restart_policy: unless-stopped
image: registry.gitlab.ics.muni.cz:443/muni-kypo-crp/kypo-crp-artifact-repository/kypo-elasticsearch-service
image_tag: '21.06'
image_tag: 'v1.0.31'
frontend:
restart_policy: unless-stopped
image: registry.gitlab.ics.muni.cz:443/muni-kypo-crp/kypo-crp-artifact-repository/kypo-frontend
......
......@@ -8,13 +8,6 @@ kypo_crp_java_package: openjdk-11-jre-headless
kypo_crp_java_cacerts_dest: /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts
kypo_crp_java_cacerts_pass: changeit
kypo_crp_oidc_spring_processed_lists:
issuers: '{{ kypo_crp_oidc_providers | map(attribute="url") | join(",") }}'
resource_client_ids: '{{ kypo_crp_oidc_providers | map(attribute="resource_client_id") | join(",") }}'
resource_client_secrets: '{{ kypo_crp_oidc_providers | map(attribute="resource_client_secret") | join(",") }}'
scopes: '{{ kypo_crp_oidc_scopes | join(", ") }}'
kypo_crp_oidc_django_processed_lists:
issuers: '{{ kypo_crp_oidc_providers | map(attribute="url") | map("regex_replace", "/$", "") | list }}'
kypo_crp_oidc_angular_processed_lists:
logout_uris: '{{ kypo_crp_oidc_configurations | map(attribute="end_session_endpoint") | list }}'
......
......@@ -18,18 +18,12 @@ elasticsearch-service.uri={{ kypo_crp_elasticsearch_service_internal_url }}
smart-assistant-service.uri={{ kypo_crp_smart_assistant_service_internal_url }}
# OpenID Connect OIDC configuration settings for a resource servers configuration
# Add configuration values for your OIDC providers. If you want to run application properly, make sure that all values are in the same order.
# First OIDC provider is used for authorization in swagger page
## OIDC issuers, e.g. MUNI OIDC and another proprietary OIDC authorization server, e.g., https://oidc.muni.cz/oidc/, https://kypo-oidc-idp.cz/oidc/
kypo.idp.4oauth.issuers={{ kypo_crp_oidc_spring_processed_lists.issuers }}
## the identification of a resource service using client IDs
kypo.idp.4oauth.resource.clientIds={{ kypo_crp_oidc_spring_processed_lists.resource_client_ids }}
## the identification of a resource service using client secrets
kypo.idp.4oauth.resource.clientSecrets={{ kypo_crp_oidc_spring_processed_lists.resource_client_secrets }}
# OpenID Connection MUNI OIDC configuration settings for a client configuration
## the scopes that authorization servers will provide for a given user, e.g., openid, profile, email
kypo.idp.4oauth.scopes={{ kypo_crp_oidc_spring_processed_lists.scopes }}
# Add configuration values for your OIDC providers. If you want to run the application properly, make sure that all values have a proper index.
## OIDC issuers, e.g. MUNI OIDC and another proprietary OIDC authorization server
{% for oidc_provider in kypo_crp_oidc_providers %}
kypo.identity.providers[{{ loop.index - 1 }}].issuer={{ oidc_provider.issuer_identifier | default(oidc_provider.url) }}
kypo.identity.providers[{{ loop.index - 1 }}].userInfoEndpoint={{ oidc_provider.user_info_url | default('') }}
{% endfor %}
# DATASOURCE (DataSourceAutoConfiguration & DataSourceProperties)
spring.datasource.url=jdbc:postgresql://localhost:5432/kypo-adaptive-training
......
......@@ -84,7 +84,10 @@
"logoutUrl": "{{ kypo_crp_oidc_provider[1] }}",
"postLogoutRedirectUri": "{{ kypo_crp_oidc_post_logout_url }}",
"silentRefreshRedirectUri": "{{ kypo_crp_oidc_silent_refresh_redirect_url }}",
"clearHashAfterLogin": true
"clearHashAfterLogin": true,
"strictDiscoveryDocumentValidation": false,
"skipIssuerCheck": true,
"oidc": true
}
}{{ "," if not loop.last else "" }}
{% endfor -%}
......
......@@ -9,18 +9,12 @@ microservice.name=kypo-elasticsearch-service
cors.allowed.origins={{ kypo_crp_url }}
# OpenID Connect OIDC configuration settings for a resource servers configuration
# Add configuration values for your OIDC providers. If you want to run application properly, make sure that all values are in the same order.
# First OIDC provider is used for authorization in swagger page
## OIDC issuers, e.g. MUNI OIDC and another proprietary OIDC authorization server, e.g., https://oidc.muni.cz/oidc/, https://kypo-oidc-idp.cz/oidc/
kypo.idp.4oauth.issuers={{ kypo_crp_oidc_spring_processed_lists.issuers }}
## the identification of a resource service using client IDs
kypo.idp.4oauth.resource.clientIds={{ kypo_crp_oidc_spring_processed_lists.resource_client_ids }}
## the identification of a resource service using client secrets
kypo.idp.4oauth.resource.clientSecrets={{ kypo_crp_oidc_spring_processed_lists.resource_client_secrets }}
# OpenID Connection MUNI OIDC configuration settings for a client configuration
## the scopes that authorization servers will provide for a given user, e.g., openid, profile, email
kypo.idp.4oauth.scopes={{ kypo_crp_oidc_spring_processed_lists.scopes }}
# Add configuration values for your OIDC providers. If you want to run the application properly, make sure that all values have a proper index.
## OIDC issuers, e.g. MUNI OIDC and another proprietary OIDC authorization server
{% for oidc_provider in kypo_crp_oidc_providers %}
kypo.identity.providers[{{ loop.index - 1 }}].issuer={{ oidc_provider.issuer_identifier | default(oidc_provider.url) }}
kypo.identity.providers[{{ loop.index - 1 }}].userInfoEndpoint={{ oidc_provider.user_info_url | default('') }}
{% endfor %}
# spring-cloud
spring.cloud.refresh.enabled = false
......
......@@ -23,7 +23,12 @@ authentication:
authenticated_rest_api: True
# List of OIDC provider host/domain names that are allowed.
allowed_oidc_providers: {{ kypo_crp_oidc_django_processed_lists.issuers }}
allowed_oidc_providers:
{% for oidc_provider in kypo_crp_oidc_providers %}
- issuer: {{ oidc_provider.issuer_identifier | default(oidc_provider.url) | regex_replace("/$", "") }}
userinfo_endpoint: {{ oidc_provider.user_info_url | default('') }}
{% endfor %}
# User and Group roles registration endpoint URL.
roles_registration_url: "{{ kypo_crp_uag_service_internal_registration_url }}"
......
......@@ -15,20 +15,6 @@ openstack-server.uri={{ kypo_crp_sandbox_service_internal_url }}
# calling kypo-elasticsearch-service, e.g., http://elastic-service:8085/kypo-elastic/api/v1
elasticsearch-service.uri={{ kypo_crp_elasticsearch_service_internal_url }}
# OpenID Connect OIDC configuration settings for a resource servers configuration
# Add configuration values for your OIDC providers. If you want to run application properly, make sure that all values are in the same order.
# First OIDC provider is used for authorization in swagger page
## OIDC issuers, e.g. MUNI OIDC and another proprietary OIDC authorization server, e.g., https://oidc.muni.cz/oidc/, https://kypo-oidc-idp.cz/oidc/
kypo.idp.4oauth.issuers={{ kypo_crp_oidc_spring_processed_lists.issuers }}
## the identification of a resource service using client IDs
kypo.idp.4oauth.resource.clientIds={{ kypo_crp_oidc_spring_processed_lists.resource_client_ids }}
## the identification of a resource service using client secrets
kypo.idp.4oauth.resource.clientSecrets={{ kypo_crp_oidc_spring_processed_lists.resource_client_secrets }}
# OpenID Connection MUNI OIDC configuration settings for a client configuration
## the scopes that authorization servers will provide for a given user, e.g., openid, profile, email
kypo.idp.4oauth.scopes={{ kypo_crp_oidc_spring_processed_lists.scopes }}
# DATASOURCE (DataSourceAutoConfiguration & DataSourceProperties)
spring.datasource.url=jdbc:postgresql://localhost:5432/kypo-adaptive-smart-assistant
spring.datasource.username=postgres
......
......@@ -18,18 +18,12 @@ elasticsearch-service.uri={{ kypo_crp_elasticsearch_service_internal_url }}
answers-storage.uri={{ kypo_crp_answers_storage_service_internal_url }}
# OpenID Connect OIDC configuration settings for a resource servers configuration
# Add configuration values for your OIDC providers. If you want to run application properly, make sure that all values are in the same order.
# First OIDC provider is used for authorization in swagger page
## OIDC issuers, e.g. MUNI OIDC and another proprietary OIDC authorization server, e.g., https://oidc.muni.cz/oidc/, https://kypo-oidc-idp.cz/oidc/
kypo.idp.4oauth.issuers={{ kypo_crp_oidc_spring_processed_lists.issuers }}
## the identification of a resource service using client IDs
kypo.idp.4oauth.resource.clientIds={{ kypo_crp_oidc_spring_processed_lists.resource_client_ids }}
## the identification of a resource service using client secrets
kypo.idp.4oauth.resource.clientSecrets={{ kypo_crp_oidc_spring_processed_lists.resource_client_secrets }}
# OpenID Connection MUNI OIDC configuration settings for a client configuration
## the scopes that authorization servers will provide for a given user, e.g., openid, profile, email
kypo.idp.4oauth.scopes={{ kypo_crp_oidc_spring_processed_lists.scopes }}
# Add configuration values for your OIDC providers. If you want to run the application properly, make sure that all values have a proper index.
## OIDC issuers, e.g. MUNI OIDC and another proprietary OIDC authorization server
{% for oidc_provider in kypo_crp_oidc_providers %}
kypo.identity.providers[{{ loop.index - 1 }}].issuer= {{ oidc_provider.issuer_identifier | default(oidc_provider.url) }}
kypo.identity.providers[{{ loop.index - 1 }}].userInfoEndpoint={{ oidc_provider.user_info_url | default('') }}
{% endfor %}
# DATASOURCE (DataSourceAutoConfiguration & DataSourceProperties)
spring.datasource.url=jdbc:postgresql://localhost:5432/training
......
......@@ -9,18 +9,12 @@ service.name=kypo-user-and-group
cors.allowed.origins={{ kypo_crp_url }}
# OpenID Connect OIDC configuration settings for a resource servers configuration
# Add configuration values for your OIDC providers. If you want to run application properly, make sure that all values are in the same order.
# First OIDC provider is used for authorization in swagger page
## OIDC issuers, e.g. MUNI OIDC and another proprietary OIDC authorization server, e.g., https://oidc.muni.cz/oidc/, https://kypo-oidc-idp.cz/oidc/
kypo.idp.4oauth.issuers={{ kypo_crp_oidc_spring_processed_lists.issuers }}
## the identification of a resource service using client IDs
kypo.idp.4oauth.resource.clientIds={{ kypo_crp_oidc_spring_processed_lists.resource_client_ids }}
## the identification of a resource service using client secrets
kypo.idp.4oauth.resource.clientSecrets={{ kypo_crp_oidc_spring_processed_lists.resource_client_secrets }}
# OpenID Connection MUNI OIDC configuration settings for a client configuration
## the scopes that authorization servers will provide for a given user, e.g., openid, profile, email
kypo.idp.4oauth.scopes={{ kypo_crp_oidc_spring_processed_lists.scopes }}
# Add configuration values for your OIDC providers. If you want to run the application properly, make sure that all values have a proper index.
## OIDC issuers, e.g. MUNI OIDC and another proprietary OIDC authorization server
{% for oidc_provider in kypo_crp_oidc_providers %}
kypo.identity.providers[{{ loop.index - 1 }}].issuer={{ oidc_provider.issuer_identifier | default(oidc_provider.url) }}
kypo.identity.providers[{{ loop.index - 1 }}].userInfoEndpoint={{ oidc_provider.user_info_url | default('') }}
{% endfor %}
# DATASOURCE (DataSourceAutoConfiguration & DataSourceProperties)
spring.datasource.url=jdbc:postgresql://localhost:5432/user-and-group
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment