OAuth provides clients a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without providing credentials. For more details visit official Oauth2 website.
For Plexus Connect to determine the active authentication server, the configuration file config.properties there needs to be created.
This file needs to be saved on the server. We recommend to use the configuration folder.
This configuration is activating by the following startup option:
-Dcom.chemaxon.plexus.connect.configuration.propertiesFilePath=~/chemaxon/plexus-suite/config.properties" Basic content of config.properties is shown on following example:
authentication.type=oidc
pass.uri=https://your.amazoncognito.com/oauth2/
pass.jwk.uri=https://cognito-idp.your_location-1.amazonaws.com/your_location/.well-known/jwks.json
pass.clientId=`client_ID`
pass.clientSecret=`client_secret`
pass.jwt.groupKey=group //name of the attribute in JWT where groups are listed
#pass.jwt.roleKey=roles // name of the attribute in JWT where user roles are specifiedOr it can be a part of nps.properties
From Connect perspective, the authentication server has to have all required services in OpenID Connect Session Management. Connect expect JWT token when trying to authorize against the server.
JWT token has sub and email as mandatory attributes and the group and roles as optional, where one of them should be used with some custom name and properly mapped into a config.properties property file.
When the pass.jwt.groupKey=group attribute is used, Connect will check the content of the JWT token to find the attribute group "group": ["connect-admins"]. In this case the User is in the group connect-admins. Then the Connect will check the content of the groupToRolesMapping.json where it will try to find connect-admins. It this example it will find the ["ROLE_ADMIN", "ROLE_EDIT_SCHEMA", "ROLE_CONNECT_ADMIN"] roles. As a result the loged in will have these roles assigned.
{
"sub": "someUSerIdOrClientId",
"email": "emailOfUser",
"group": ["connect-admins"],
"roles": ["ROLES"] //here the IJC_ROLES needs to be Specify
}Bellow is the example of groupToRolesMapping.json where the mapped roles are stored.
{
"connect-admins": ["ROLE_ADMIN", "ROLE_EDIT_SCHEMA", "ROLE_CONNECT_ADMIN"],
"connect-users": ["ROLE_USER"],
"connect-exporters": ["ROLE_EXPORT_DATA"],
"noGroup": []
}More about user ROLES here
For logout service implementation following piece of code can be useful:
@GetMapping("/oauth/logout") //to be implemented by your oauth2 server
public void exit(HttpServletRequest request, HttpServletResponse response) {
// token can be revoked here if needed
new SecurityContextLogoutHandler().logout(request, null, null); //logout on your oauth2 server
System.out.println("Logging out attempt");
try {
//sending back to client app
System.out.println("before send redirect");
response.sendRedirect(request.getHeader("referer")); //redirect where you want, we redirect back
System.out.println("after send redirect");
} catch (IOException e) {
System.out.println("error");
e.printStackTrace();
} In the sections below, you can find basic demo tutorial, which helps you to easily set up this security solution for Plexus Conect. Oauth2_tutorial.