Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

ModelOp follows the next security architecture:

Technical implementation details:

  • Main points of entry:

    • OAuth2Login

    • ResourceServer

  • For the ResourceServer implementation, the architecture supports JWT and Opaque independently.

    • Jwt:

      • Token local validations performed by JWKs.

    • Opaque:

      • Token validations performed by introspection; through an token introspection resolver ( in case more than one token introspection defined ).

How to define a MicroService as Resource Server (RS):

  1. Identify the type of tokens to be supported

  2. Define profiles accordingly

  3. Add required YAML configurations.

Currently, three types of resource servers are supported:

  • JWT

  • Opaque Token

  • Opaque Query Param (This is a non-traditional type of Opaque Token required for one of our clients, and it is not used locally).

All of these resource servers share the following common configurations:

oauth2:
    resource-server:
        base-conf:
            user-info-uri: <https://pingfederate:9031/idp/userinfo.openid>
    group-base-access:
        oauth2-group-claim-name: memberOf

JWT

JWT RS is straight forward, only jwt profile is required.

spring:
  profile: secured, jwt

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://authorization.server

Opaque Token

Opaque Token RS uses an introspection endpoint to validate the token.

spring:
  profile: secured, opaque

  # Oauth2 Resource server PF Configuration
  security:
    oauth2:
      resourceserver:
        opaque-token:
          introspection-uri: ${modelop.mm.introspection-uri}
          client-id: ${modelop.mm.client-id}
          client-secret: ${modelop.mm.client-secret}

Opaque Query Param

Opaque Query Param RS uses an introspection endpoint to validate the token.

oauth2:
  # Values for Resource Servers.
  resource-server:
    ##Base RS conf
    base-conf:
      user-info-uri: https://authorization.server/idp/userinfo.openid

    # Traditional approaches will require only introspection-uri, this approach uses NimbusOpaqueTokenIntrospector
    opaque:
      client-id: model-manage-client
      client-secret: client-secret
      introspection-uri: https://internal.pf.modelop.center/as/introspect.oauth2

    # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time...
    opaque-queryparam:
      queryparam: otoken
      introspection-uri: https://authorization.server/rs/validate/AppIdClaim

JWT detailed architecture overview

Opaque detailed architecture overview

  • No labels