Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ModelOp Center , adheres to the Spring Security Architecture for OAuth2 applications.

...

ModelOp Center supports ServerHttpSecurity configurations as:

  • OAuth2Login (C2B):

    • Mainly used by the Gateway, handling browser authentication.

  • ResourceServer:

    • Jwt:

      • Token local validations performed by JWKs.

    • Opaque:

      • Token validations performed by introspection; through token introspection resolvers ( in case more than one token introspection defined ).

      • Opaque-QueryParam.

...

In secured environments, microservice to microservice communication or B2B communication is token protected. This process is internally managed by feign clients. Feign clients uses an OAuth2 FeignInterceptor implementation in charge of requesting/refreshing tokens and adding them as headers as part of each request.

...

Defining a MicroService as Resource Server (RS):

  1. Identify the type of tokens to be supported

  2. Define profiles accordingly

  3. Add required YAML configurations.

Currently, three types of resource servers are supported:

...

Code Block
languageyaml
spring:
  profile: secured, opaque

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        opaque-token:
          #Default opaque introspector
          introspection-uri: ${modelop.mm.introspection-uri}
          client-id: ${modelop.mm.client-id}
          client-secret: ${modelop.mm.client-secret}
          default-client-registration-id: springClientRegistrationId 
Info

default- client-registration-id needs to point to a valid spring client registration id.

...

Code Block
languageyaml
oauth2:
  # Values for Resource Servers.
  resource-server:
  
    # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time...
    opaque-queryparam:
      queryparam: otoken
      introspection-uri: https://authorization.server/rs/validate/AppIdClaim

...

Token Claims to User Attributes Mapping

By default, ModelOp Center maps each user attribute to its corresponding standard claim. The standard claims used by ModelOp Center are defined in the OpenID Connect specification as a set of OpenID Connect Standard Claims. For the complete list of standard claims, please refer to section 5.1 Standard Claims of the OpenID Connect specification.

ModelOp Center’s default use of the standard claims can be adjusted to use other claims by adding configuration properties. For example, the standard claim for a user’s given name is given_name. However, if that particular claim is not available, one could use the username claim instead (assuming the claim is available) by adding the following configuration properties:

Code Block
languageyaml
oauth2:
  resource-server:
    base-conf:
      claim-names:
        givenName: username

Please note that the configuration above is overriding one claim name only, but multiple or all claim names can be overridden, if necessary.