From d38c78bbc19609fbe77fb3b1991bc9e8226b5efb Mon Sep 17 00:00:00 2001
From: Laurent GRATEAU <laurent.grateau@fr.ibm.com>
Date: Fri, 20 Oct 2023 10:06:36 +0200
Subject: [PATCH] Synchronize Master to vnext-release  (#163)

* Update README.md

* Update README_FINE_GRAIN_PERMISSION.md

* Update README_FINE_GRAIN_PERMISSION.md

* https://jsw.ibm.com/browse/DBACLD-97311

* Update README.md

* SiaSin review

* SiaSin review

* Update README.md

---------

Co-authored-by: Mathias Mouly <mathias.mouly@fr.ibm.com>
---
 authentication/AzureAD/README.md              |  53 ++++++++++++------
 authentication/AzureAD/azuread-odm-script.zip | Bin 7092 -> 7608 bytes
 .../AzureAD/templates/openIdWebSecurity.xml   |   4 +-
 .../Keycloak/README_FINE_GRAIN_PERMISSION.md  |   1 +
 4 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/authentication/AzureAD/README.md b/authentication/AzureAD/README.md
index 6da109f5..228ee3a7 100644
--- a/authentication/AzureAD/README.md
+++ b/authentication/AzureAD/README.md
@@ -140,7 +140,16 @@ After activating your account by email, you should have access to your Aure AD i
 
     ![New Web Application](images/RegisterApp.png)
 
-2. Generate an OpenID client secret.
+2. Retrieve Tenant and Client information.
+
+    In **Azure Active Directory** / **App Registration**, select **ODM Application** and click **Overview**:
+
+    * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps.
+    * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps.
+
+    ![Tenant ID](/images/AzureAD/GetTenantID.png)
+
+3. Generate an OpenID client secret.
 
     In **Azure Active Directory** / **App registrations**, select **ODM Application**:
 
@@ -153,7 +162,7 @@ After activating your account by email, you should have access to your Aure AD i
 
    >Important: This client secret can not be revealed later. If you forgot to take note of it, you'll have to create another one.
 
-3. Add Claims.
+4. Add Claims.
 
     In **Azure Active Directory** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**:
 
@@ -178,37 +187,47 @@ After activating your account by email, you should have access to your Aure AD i
     * Check Security Groups
     * Click Add
 
-4. API Permissions.
+5. Create a custom claim named "identity"
+
+   To allow ODM rest-api to use the password flow with email as user identifier and the client-credentials flow with client_id as user identifier, we need to create a new claim named "identity" that will take the relevant value according to the flow:
+
+   In **Azure Active Directory** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**:
+
+  * Click on Edit of the "Attributes & Claims" section
+    * Click + Add new claim
+      * Name: identity
+      * Fill 2 Claim conditions in the exact following order:
+        1. User Type: Any / Scope Groups: 0 / Source: Attribute / Value: <CLIENT_ID>
+        2. User Type: Members / Scope Groups: 0 / Source: Attribute / Value: user.mail
+ 
+6. API Permissions.
 
     In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **API Permissions**.
 
     * Click Grant Admin Consent for Default Directory
 
-5. Manifest change.
+7. Manifest change.
 
     In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **Manifest**.
 
-    As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2 and then click Save.
+    As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2.
 
     ODM OpenID Liberty configuration needs version 2.0 for the issuerIdentifier. See the [openIdWebSecurity.xml](templates/openIdWebSecurity.xml) file.
 
-6. Retrieve Tenant and Client information.
 
-    In **Azure Active Directory** / **App Registration**, select **ODM Application** and click **Overview**:
-
-    * Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps.
-    * Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps.
+    It is also necessary to set **acceptMappedClaims** to true to manage claims. Without this setting, you get the exception **AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.** when requesting a token.
 
-    ![Tenant ID](images/GetTenantID.png)
 
-7. Check the configuration.
+   Then, click Save.
+   
+8. Check the configuration.
 
     Download the [azuread-odm-script.zip](azuread-odm-script.zip) file to your machine and unzip it in your working directory. This .zip file contains scripts and templates to verify and set up ODM.
 
-    7.1 Verify the Client Credential Token
+    8.1 Verify the Client Credential Token
 
     You can request an access token using the Client-Credentials flow to verify the token format.
-    This token is used for the deployment between Decision Cennter and the Decision Server console:
+    This token is used for the deployment between Decision Center and the Decision Server console:
 
     ```shell
     $ ./get-client-credential-token.sh -i <CLIENT_ID> -x <CLIENT_SECRET> -n <TENANT_ID>
@@ -234,6 +253,7 @@ After activating your account by email, you should have access to your Aure AD i
     ```json
     {
       "aud": "<CLIENT_ID>",
+      "identity": "<CLIENT_ID>",
       ...
       "iss": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
       ...
@@ -245,7 +265,7 @@ After activating your account by email, you should have access to your Aure AD i
     - *aud*: should be your CLIENT_ID
     - *iss*: should end with 2.0. otherwise you should verify the previous step **Manifest change**
 
-    7.2 Verify the Client Password Token.
+    8.2 Verify the Client Password Token.
 
    To check that it has been correctly taken into account, you can request an ID token using the Client password flow.
 
@@ -270,6 +290,7 @@ After activating your account by email, you should have access to your Aure AD i
       "iss": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
       ...
       "email": "<USERNAME>",
+      "identity": "<USERNAME>",
       "groups": [
         "<GROUP>"
       ],
@@ -546,7 +567,7 @@ Get hands-on experience with IBM Operational Decision Manager in a container env
 
 To manage ODM runtime call on the next steps, we used the [Loan Validation Decision Service project](https://github.com/DecisionsDev/odm-for-container-getting-started/blob/master/Loan%20Validation%20Service.zip)
 
-Import the **Loan Validation Service** in Decision Center connected as John Doe
+Import the **Loan Validation Service** in Decision Center connected using *myodmuser*@YOURDOMAIN created at step 2
 
 ![Import project](../Keycloak/images/import_project.png)
 
diff --git a/authentication/AzureAD/azuread-odm-script.zip b/authentication/AzureAD/azuread-odm-script.zip
index 3ead166f7ba57cd6c689011f4976628c47a23912..14e45800f9e16a055f25187b05cf961963cc3c86 100644
GIT binary patch
delta 1304
zcmdmDzQdX~z?+#xgn@y9gTb(F=R{sj_Pq4`l>GGkjkb?jn1Mo*lei3EVw-1jg|mVM
zm03;Tf^n>jto1;ZVc{~j)Up{F81k4I7<d?D7zz?AbMg~Y^s<Wc^Fl*78JIyvgK%jD
zHv=QfSD;d`)wMyV^O_9=_B_{CiVt37Dj-#pQ+#q^=F$am6P@R<h~}h7hnhUPpB?N}
zv1O{ofpc%poin<Av!>6;(NgL2>PqwYJ!kmqefG_ZW4S(kP1WMib34M?9@zddn6fM=
ze?{7|wwQ(kja!=!bF?3+Rk;z*bbyJc;TGGh?n$rjv8<NpET1*CjIB+y?n{h8L@uXB
zpSg}_sMe1%;p1VhnKM5X8}rMyOnEf<<nL3<L$vlTwv-NBEA*G!a!F8p6ni$i({Wzq
z4;}JC_4THO8}7fivds1{+LiszWM=k-%_6BEb^3w>t8LVRXZg;O-jR1z%Plo5w^C`=
z(fsh=UiI_4giiLYyr=H;?d2+grAdFcR!@t)e(=UY$Ckz$>Je;lI~eXn&YLms#=DN>
z)3pgX;#&jmuIxGE#Lg3Y_w`KAd6)dB)SuXN!PE4P;m!+A=H^ialcnx_o1a(m#;CV;
zHpk@511#%1pZ5wI27KBz%W{HH&8PU>P3d3XNTWpf<j?%3;D`i9%Vd3l$Kc2n6|{y$
z?&NU66THoxvf*a_GZ;1jBaCmdj*xc!QLc9>AdD7~Z$o|aFFOeAeICxEz3!lf(40qJ
z(~?_MxhKpmc%gc$V);vf^y_cj7d8BN?{jB|=F)XhM;e*!);@pyc2A}Mt&3L{-d(s?
zqL*Qrb*AS!DHh%B65Xr3_nM#MzHw5mKx1djlt`oKu*jd5+SBX1Hwj$yec%02!fx9N
z#rcj|TaMj2Tv2mz`K7ji>Kl{yvt7~_-qLh!R@l0w>WdF9WY0g)y3O?3;#bwY&XcSd
z=Q*T&xc+{{#|-a1T}MyNvfb>Fx0uP}=%E#B8N!Vj=39#}Zd!M7=gyl8&Xqolo+-6i
zQSXD<f(O6l{=9m3D`xJ?<*xJUYiH<xo@t?~y+-%feXdnHx|@G0Y*@T?nq7p?tgRdO
z%*xd{mG$Y_+85<tUhY{GaYrv*;KS*<$(dKBF4ZN@j@a|3?%D_UB^}of*0*PvSAMm+
z_23|{(!^rM+;uagV+C*hj&N@|_-wJmndi~w-<6qXCO>?VHfvvc1Y7--x1AZWZxw==
z3-$+1z9Fn=y6B*89dF9~r};N8G2eUkqPF_~>wj-|{@?!o{#O0c^!gvp?EZ`Y@&4dM
zjdL9leOR1tP7;|8$>x6~%t85ca=erbI1%iWlx7lRoqSDF5hknv%HvPOzutV#!oaYP
zi-AFoK>}ECFfag<1;g9M<y@1CBvoOG%`giDgyJQQ&-fY8iU(G3@c_48Qc9X>y5M9p
zDK(ghU{}=vg?9=~o-L&V6IMV;oooyY@<^^)(s)dGGMls-Gcd8jjrNn4X1XXkIa^u*
WY(}571Rn>m_+ti^TJxnq{s918V;VgG

delta 893
zcmdmCy~Uh2z?+#xgn@y9gW-+e(uus9>^a*)QgXM2Y_xsM!o0U-{p2lNChSL@lT!9-
zCvSew#mLI+1r$_fHDG_^1QCp44QFKrYM#7A&=jm2Xu{+Nf{(#s$Aqk5CQjxMKEVrA
z7nZ(bFaJhHpp}#F3TxMc>;vJ_3T_5Qmajl@uzTK4@y);NAkg;yr|99X>;h3vze3g1
zhKDAxp768yB9y!5a!JSL>~G3}j(^J4^6pFtS{zjPVxis5&Bo`?o%wxg@k;02&ee8O
zj6UU;CdHU?MCBQZg_eIgXrZ5=KKsDJCrN>6CvzfGpH5#>AES55$;Eu@`eVsIt}JS+
zVOx1oDx3fD$IALCW-Yf4&-)`fA#UaZ(Jj}u6zSSZ^77eMFzanuyHPGQK3l@`6^D&e
z%7^gxD?es<@98;uYL>14#5-=R6S`UhqZ!wwG3+lFVcfLt;?A8n7o0177(G*Jv!dSz
zvjq=+%hkMkcPnP@G5_v*o8K1k&x{Lg)@<1J;=jj=O<T@9Yff;_)~($z!z4So()4!3
zl&eqPT3>ws;&Z0!#vQTe6h6GJo1A%7>QY_e?1(-83NL*~U(#{?VEpxqd7qx?+<LH8
zT4iD}WA3^Nvt24%zDKejO8DrgFz<Qw_3!agM(syV`kL3C-N5rt;kI&S>^lV(%^mmM
zCwGV{8ZSAhTgRR9|K$BmOWF6Fz4-fE-MfEp)9W|B|G!oL_UF!LbKQ>L|F4gdUMAlY
z)rUp-W)ZRJEZ{g_CuPnIN(29-WfXuZDC~*&*PG8-7#Q|(F)+w6NB|QX0|PLc8QwOE
zu}*H0R%HezFR)@@$_is>obb|?m4RU=4+Db~isDeN$tu!{%)n#^QVh09Rz{lX8UJJ}
z88x_tpagbhkubwLpar==TU3$ESklNLIC;K|4vJ!UYGh+zkVjE0Dm0l(7S-hHl0UDi
ofnF&QWMGg)Q7kVqIbT*m6H7`C@MZ-X&A`A8gd3TF-Uf#N0OIsz6aWAK

diff --git a/authentication/AzureAD/templates/openIdWebSecurity.xml b/authentication/AzureAD/templates/openIdWebSecurity.xml
index 4ee4e6c5..d7b92fba 100644
--- a/authentication/AzureAD/templates/openIdWebSecurity.xml
+++ b/authentication/AzureAD/templates/openIdWebSecurity.xml
@@ -22,5 +22,5 @@
                        issuerIdentifier="${ServerHost}/v2.0"
                        authorizationEndpointUrl="${ServerHost}/oauth2/v2.0/authorize"
                        tokenEndpointUrl="${ServerHost}/oauth2/v2.0/token"
-                       userIdentifier="aud" groupIdentifier="groups" audiences="ALL_AUDIENCES"/>
-</server>
\ No newline at end of file
+                       userIdentifier="identity" groupIdentifier="groups" audiences="ALL_AUDIENCES"/>
+</server>
diff --git a/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md b/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md
index a8001c8c..13feac86 100644
--- a/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md
+++ b/authentication/Keycloak/README_FINE_GRAIN_PERMISSION.md
@@ -263,6 +263,7 @@ oc exec -ti <OPENLDAP_POD> bash -- ldapsearch -x -Z -H ldap://ldap-service.<PROJ
 
   By default, the SCIM Groups and Users Endpoints require authentication.
 
+
   ![SCIM Resources Tab](images/scim_resources.png)
 
   Now, we will configure these endpoints to authorize authenticated users that have the rtsAdministrators role. In the ODM client application, we will use the client_credentials flow using the "service-account-odm" service account having assigned the rtsAdministrators role. We just have to configure authorization for the "Get" endpoint as the ODM SCIM Import is a read only mode and doesn't need the other endpoints (Create, Update, Delete)