Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Devops/tweak openid for different access url #510

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from

Conversation

MikeNeilson
Copy link
Contributor

Was finally able to retrieve an active JWT and see how things worked. CDA can now use the EDIPI provided by the JWT to retrieve CWMS user credentials.

Possible future work involved database changes to allow use of the "sub" which would be appropriate to allow Keycloak Direct Grant OR Login.gov.

The majority the auth flows are not usable by our users, and some scopes don't work even through their presented. Removing the oauth flows is easy, I'll investigate later setting an appropriate default scope and client id.

Oh and for anyone that ever needs to try TLS/Mutual auth from a termina in windows:

curl -v --ca-native --cert "CurrentUser\MY\<Thumbprint from CAC cert>" https://url-requiring-mutual-auth.test" -d "grant_type=password" -d "username=" -d "password=" -d "response_type=code" -d "client_id=<client scope>" -d "scope=openid profile email"

Note with the above email did not show up within the JWT, @willbreitkreutz the JWT clearly said email not verified so seems reasonable to ; is there a process for a user to update their information on keycloak, couldn't quite figure out how to log in to my account correctly, assuming it's even configured to do so.

- Method to tweak base auth to allow usage of non-cac for service lookup and cac for user login through Swagger.
- Implemented Functionality to process JWT and build appropriate DataApiPrincipal.

Closes #392.
compose_files/pki/certs/main.conf Show resolved Hide resolved
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think several files in pki/certs/* area are re-generated and don't need to be included here?

docker-compose.README.md Show resolved Hide resolved
@willbreitkreutz
Copy link

@MikeNeilson there is a way for users to update their profile, first name, last name and e-maiil anyway. we're working on getting that workflow documented. We don't have e-mail verification wired up so they all show not-verified even if there is an e-mail, probably something we need to get incorporated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants