Versions Compared

Old Version 3

changes.mady.by.user Miguel Rosas

Saved on

compared with

New Version Current

changes.mady.by.user Miguel Rosas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Discovering OAuth2 configuration

...

for external integrations

ModelOp Center has a mechanism that allow external integrations to retrieve dynamically their OAuth2 configurations.

This mechanism is available at:

http(s)://MODELOP_CENTER_HOST/api/oauth2/.well-known-configuration. This endpoint is used by all ModelOp OAuth2 integrations to retrieve generic and client specific information such as authorization URI, client id, response type, scope, and redirect.

Sample global response:

Code Block
languagejson
{
"name": "modelop",
"issuerUri": "https://authorization.server",
"authorizationUri": "https://authorization.server/as/authorization.oauth2",
"tokenUri": "https://authorization.server/as/token.oauth2",
"userInfoUri": "https://authorization.server/idp/userinfo.openid",
"userNameAttribute": "sub",
"jwkSetUri": "https://iauthorization.server/pf/JWKS",
"introspectionUri": null
}

Use case example:

Retrieving OAuth2 configurations for Jupyter integration. Execute a GET request to /api/oauth2/.well-known-configuration. To retrieve Jupyter client specific information, execute a GET request to /If a given external integration needs to fetch specific custom configurations, then it can perform a request appending its OAuth2Client id, this will return any existing configurations related to that clientId.

Sample request for jupyter

GET http(s)://MODELOP_CENTER_HOST/api/oauth2/.well-known-configuration/jupyter where jupyter is the OAuth2 client id.

If existing configurations were found, then a response similar to the next one will be returned:

Code Block
languagejson
{
"clientId": "jupyter",
"scopes": [
  "openid",
  "profile",
  "email"
],
"redirectUri": "http://modelop.center/jupyter.html",
"responseType": "token",
  "oAuth2Provider": {
    "name": "modelop",
    "issuerUri": "https://authorization.server",
    "authorizationUri": "https://authorization.server/as/authorization.oauth2",
    "tokenUri": "https://authorization.server/as/token.oauth2",
    "userInfoUri": "https://authorization.server/idp/userinfo.openid",
    "userNameAttribute": "sub",
    "jwkSetUri": "https://authorization.server/pf/JWKS",
    "introspectionUri": null
  }
}

...

Additional security considerations

General rules

  • Groups contained inside the group claim, will be added as GrantedAuthorities with the prefix GROUP_* .

  • Special ROLE_SYSTEM authority to system clients.

  • Admin members will get ROLE_ADMIN for an easier identification.

...

External Jupyter Notebook

...