Installation

Compatibility

Prerequisites

• The authn_oidc distribution: authn_oidc-1.0.0-distro.zip
• A suitable deployed container (here assumed to be Glassfish/Payara) to support a web application. Testing has been carried out with payara41. Glassfish/Payara installation instructions are available.
• Python (version 2.4 to 2.7) installed on the server.

Summary of steps

1. Please follow the generic installation instructions
2. Check that it works.

The setup.properties file

container

Values must be chosen from: TargetServer Though only Glassfish is working properly at the moment.

home

is the top level of the container installation. For Glassfish it must contain "glassfish/domains" and for JBoss (wildfly) it must contain jboss-modules.jar.

port

is the administration port of the container which is typically 4848 for Glassfish and 9990 for JBoss.

secure

must be set to true or false. If true then only https and not http connections will be allowed.

The logback.xml file

If you wish to modify the provided logging levels then rename logback.xml.example to logback.xml and edit it to suit your needs.

The run.properties file

wellKnownUrl

The well-known OpenID configuration URL of the token issuer. It is expected to specify a jwks_uri. Only tokens that can be validated using a key from the jwks_uri will be accepted by authn.oidc.

In the case of Keycloak, it should look like this:
https://example.org/auth/realms/example/.well-known/openid-configuration

tokenIssuer

The name or URL of the token issuer. This must exactly match the 'iss' claim encoded within the token and the 'issuer' attribute found at the wellKnownUrl.

In the case of Keycloak, it should look like this:
https://example.org/auth/realms/example

icatUserClaim

The claim encoded within the token that shall be used as the ICAT username.

icatUserClaimException

By default, if no icatUserClaim is present in the token, authn.oidc falls back to using the 'sub' claim. If you would prefer an AuthnException to be thrown in this case, set this property to 'true'.

ip

If access to the OIDC authentication should only be allowed from certain IP addresses then provide a space separated list of allowed values. These take the form of an IPV4 or IPV6 address followed by the number of bits (starting from the most significant) to consider.

mechanism

If specified is a label to appear before the username as it is made available to ICAT for authorization. By default, this only affects usernames obtained from the 'sub' claim. For usernames from the icatUserClaim, authn.oidc tries to extract the mechanism from the username itself.

For example, let's assume this is set to 'oidc'. If a token contains the icatUserClaim 'db/fred', then the username would be provided to ICAT as 'db/fred'. But if a token only contains the 'sub' claim '37715', then the username would be provided to ICAT as 'oidc/37715'.

icatUserPrependMechanism

Set this property to 'true' if you also want to prepend usernames from the icatUserClaim with the mechanism label. This only makes sense if the usernames encoded within the tokens don't already include a mechanism.

For example, let's assume this is set to 'true' and the mechanism is set to 'oidc'. If a token contains the icatUserClaim 'fred', then the username would be provided to ICAT as 'oidc/fred'. But if a token contains the icatUserClaim 'db/fred', then the username would be provided to ICAT as 'oidc/db/fred'.

Check that authn.oidc works

A simple standalone test is to run:

curl -k https://localhost:8181/authn.oidc/description -w "\n" which returns a description,
curl -k https://localhost:8181/authn.oidc/version -w "\n" which returns the version,
curl -k https://localhost:8181/authn.oidc/jwkupdate -X POST which triggers an update of the JWK configuration, and
curl -k https://localhost:8181/authn.oidc/authenticate -w "\n" -d 'json={"credentials":[{"token":"<token>"}]}' to authenticate.