Versions Compared

Old Version 71

changes.mady.by.user Ugnius Bertašius

Saved on

compared with

New Version 72

changes.mady.by.user Gert van Valkenhoef

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2

Introduction

All major changes with introducing new SSO system are listed here

...

OAuth 2.0 can also be used for single sign on, i.e. the ability for the end user to log into the client using his or her Cochrane Account, by utilising the authentication part of the OAuth flow only, and not using the access token for further API calls. 

Anchor
Registration_Keycloak
Registration_Keycloak
Registration

Before a client can use the system it must be registered in Keycloak with the following information (see Keycloack documentation for details):

...

The registration of redirect URIs is vital for the security of the system, and Keycloak only allows complete URIs to be registered (see Keycloak documentation for details, part Valid Redirect URIs). 

Anchor
Endpoints_Keycloak
Endpoints_Keycloak
Endpoints

EnvironmentKEYCLOAK_BASEURLARCHIE_BASEURL
Testhttps://test-login.cochrane.org/https://test-archie.cochrane.org/
Traininghttps://training-login.cochrane.org/https://training-archie.cochrane.org/
Productionhttps://login.cochrane.org/https://archie.cochrane.org/

All endpoints require a secure connection (HTTPS). If plain HTTP is used an error status code 403 (forbidden) is returned.

Primary endpoints

Authorization endpoint:

${KEYCLOAK_BASEURL}/auth/realms/cochrane/protocol/openid-connect/auth

...

${KEYCLOAK_BASEURL}/auth/realms/cochrane/protocol/openid-connect/token

Authorization Code Grant (server-side) flow

Step A: Authorization code grant

The server-side flow is optimised for confidential clients, although in theory it could be use by a public client. The first step is for the client to obtain an authorization code from Keycloak.

...

In case of an error condition, depending on the error type, an error message will be displayed either directly to the end user (if there is a problem with the client ID or redirect URI), or it will be provided as an error parameter in the redirect URI to the client. For instance, if the end user does not give his or her consent, an "access_denied" error is returned to the client. See the specification section 4.1.2.1 for details.

Step B: Access token request

In the second step the client exchanges the authorization code with an access token server-to-server without involving the user's browser, and it requires client credentials as Basic auth.

...

redirect_uri (optional): Required if the redirect_uri parameter was provided in step A, in which case the parameter must have the exact same value. This parameter is not used for redirecting at this step, only for added security.

Client authentication

For any call to the token endpoint, including this, the client must provide its credentials as Basic HTTP authentication with client ID as user name and client secret as password. The authentication must be provided in the Authorization header for a confidential client.

Before building the header for Basic authentication, client IDs and client secrets containing special characters including %, +, and all non-ASCII characters  must be encoded using the UTF-8 character encoding scheme first; the resulting octet sequence then needs to be further application/x-www-form-urlencoded (see section 2.3.1 of the specification). To build the header, the encoded credentials are separated by a colon, the resulting string is base 64 encoded, and the result is prefixed with "Basic ".

Access code response

The response to the POST request is a JSON object (MIME type "application/json") like this:

...

The first field is the actual access token which should be kept on the server and never passed to the end user's browser. The token_type will always be "Bearer" in this implementation. The number of seconds that the token is valid is given in expires_in.

Error response

In case of an error condition Keycloak responds with a HTTP 400 status code with the error message included in the body of the response as a JSON object, e.g.:

...

For further details see section 5.2 of the specification.

Implicit Grant (client-side) flow

The client-side flow is optimised for public clients such as pure HTML5/JavaScript clients.

...

scope (optional) (the same as in scope description above)

Multiple scopes can be provided as a space separated list, e.g. "person document", but "all" or "none" must stand alone. If no scope is specified, "none" is used (note: the default is not all scopes registered with the client). Only scopes registered with the client are allowed. 

...

The format of the access token and error response objects is as described above for the Authorization Code Grant. However, no refresh token is supplied.

Anchor
ROPC_Keycloak
ROPC_Keycloak
Resource Owner Password Credentials

The Resource Owner Password Credentials flow allows client to obtain an access token using resource owner's credentials (username and password). The Password grant is one of the simplest OAuth grants and involves only one step: client uses resource owner's username and password to make POST request to the server to exchange password for access token. This authorization grant type requires that the application collect the user’s password.

...

scope (optional) (the same in scope description above).

The format of the access token and error response objects is as described above for the Authorization Code Grant.

Client Credentials Grant flow

The client credentials flow allows a confidential client (server) to obtain an access token server-to-server without involving an end user. Before this flow is used, an Keycloak user must be associated with the client. The access token obtained with this flow will be associated with the user and the user's permissions.

...

scope (optional) (the same as in scope description above).

Multiple scopes can be provided as a space separated list, e.g. "person document", but "all" or "none" must stand alone. If no scope is specified, "none" is used (note: the default is not all scopes registered with the client). Only scopes registered with the client are allowed. 

...

The format of the access token and error response objects is as described above for the Authorization Code Grant.

Anchor
Validation_Keycloak
Validation_Keycloak
Validating the access token

Keycloack provides a mechanism for validating access token. There are two ways to approach it - using Introspection Endpoint and validating tokens locally. See Keycloack documentation for more details. 

Using Introspection Endpoint

In order to manually validate a token issued by Keycloack, invoke Introspection Endpoint  /realms/{realm-name}/protocol/openid-connect/token/introspect

...

    "iat": 1419356238,    
    "nbf": 1419350238
}

Local validation

Due to the fact that Keycloack issued tokens are JWT digitally signed and encoded using JWS, access token can be locally validated using public key of the issueing realm. The realm’s public key can be be looked-up and cached using the certificate endpoint with the Key ID (KID) embedded within the JWS.

...

Accurate clock synchronisation is required for local token validation, so it should not be used in environments where this can't be guaranteed (e.g. end-user web browser).

Refreshing an access token

Refresh tokens can be used to obtain a new access token without asking for the end user's consent. Access tokens expire after 4 hours unless they are revoked. Refresh tokens are valid for 180 days or until they are used to obtain a new access token.

...

In case of an error condition, e.g. if the refresh token is no longer valid, the response will follow the same structure as for other token endpoint errors. The client should discard the refresh token and obtain a new access token using the server-side flow.

Anchor
Config_Keycloak
Config_Keycloak
Access and refresh tokens configuration 

Keycloak provides a possibility to configure different lifespan for access token and refresh token. This is all done on the Tokens tab in the Keyclock. Expiration time can be configured for:

...

See Session and Token Timeouts for more detailed information.

Using an access token to access the Archie API

The access token must be passed to the API in the Authorization header, e.g.:

...

See Review Document API for more examples.

Checking permissions for a user

The access token must be passed to the API in the Authorization header, e.g.:

...

[
    {
        "resource": "folder",
        "entity": "all",
        "grants": ["delete", "view_folder", "read_files", "write"]
    }
    {
        "resource": "person",
        "entity": "all",
        "grants": ["view", "view_private", "write", "delete", "mark_duplicate", "select_topics", "affiliation_crud"]
    }
]


Checking permissions for a single review

As another example, the API contains a method to get the user's permissions for a single review:

...