ModelOp Center , adheres to the Spring Security Architecture for OAuth2 applications.
...
ModelOp Center supports ServerHttpSecurity configurations as:
OAuth2Login (C2B):
Mainly used by the Gateway, handling browser authentication.
ResourceServer:
Jwt:
Token local validations performed by JWKs.
Opaque:
Token validations performed by introspection; through token introspection resolvers ( in case more than one token introspection defined ).
Opaque-QueryParam.
...
In secured environments, microservice to microservice communication or B2B communication is token protected. This process is internally managed by feign
clients. Feign clients uses an OAuth2 FeignInterceptor
implementation in charge of requesting/refreshing tokens and adding them as headers as part of each request.
...
Defining a MicroService as Resource Server (RS):
Identify the type of tokens to be supported
Define profiles accordingly
Add required YAML configurations.
Currently, three types of resource servers are supported:
...
Code Block | ||
---|---|---|
| ||
spring:
profile: secured, opaque
# Oauth2 Resource server PF Configuration
security:
oauth2:
resourceserver:
opaque-token:
#Default opaque introspector
introspection-uri: ${modelop.mm.introspection-uri}
client-id: ${modelop.mm.client-id}
client-secret: ${modelop.mm.client-secret}
default-client-registration-id: springClientRegistrationId |
Info |
---|
default- client-registration-id needs to point to a valid spring client registration id. |
...
Code Block | ||
---|---|---|
| ||
oauth2: # Values for Resource Servers. resource-server: # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time... opaque-queryparam: queryparam: otoken introspection-uri: https://authorization.server/rs/validate/AppIdClaim |
...
Token Claims to User Attributes Mapping
By default, ModelOp Center maps each user attribute to its corresponding standard claim. The standard claims used by ModelOp Center are defined in the OpenID Connect specification as a set of OpenID Connect Standard Claims. For the complete list of standard claims, please refer to section 5.1 Standard Claims of the OpenID Connect specification.
ModelOp Center’s default use of the standard claims can be adjusted to use other claims by adding configuration properties. For example, the standard claim for a user’s given name is given_name
. However, if that particular claim is not available, one could use the username
claim instead (assuming the claim is available) by adding the following configuration properties:
Code Block | ||
---|---|---|
| ||
oauth2:
resource-server:
base-conf:
claim-names:
givenName: username |
Please note that the configuration above is overriding one claim name only, but multiple or all claim names can be overridden, if necessary.