-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Devops/tweak openid for different access url #510
base: develop
Are you sure you want to change the base?
Conversation
- Method to tweak base auth to allow usage of non-cac for service lookup and cac for user login through Swagger. - Implemented Functionality to process JWT and build appropriate DataApiPrincipal. Closes #392.
compose_files/pki/certs/main.crt
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think several files in pki/certs/* area are re-generated and don't need to be included here?
cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Karl Tarbet <[email protected]>
@MikeNeilson there is a way for users to update their profile, first name, last name and e-maiil anyway. we're working on getting that workflow documented. We don't have e-mail verification wired up so they all show not-verified even if there is an e-mail, probably something we need to get incorporated. |
Was finally able to retrieve an active JWT and see how things worked. CDA can now use the EDIPI provided by the JWT to retrieve CWMS user credentials.
Possible future work involved database changes to allow use of the "sub" which would be appropriate to allow Keycloak Direct Grant OR Login.gov.
The majority the auth flows are not usable by our users, and some scopes don't work even through their presented. Removing the oauth flows is easy, I'll investigate later setting an appropriate default scope and client id.
Oh and for anyone that ever needs to try TLS/Mutual auth from a termina in windows:
Note with the above email did not show up within the JWT, @willbreitkreutz the JWT clearly said email not verified so seems reasonable to ; is there a process for a user to update their information on keycloak, couldn't quite figure out how to log in to my account correctly, assuming it's even configured to do so.