Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azuread review #209

Merged
merged 7 commits into from
Nov 21, 2024
Merged

Azuread review #209

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9f48214
token reuse
mmouly Nov 19, 2024
5b7bce8
navigation
mmouly Nov 19, 2024
3a3eff6
regenerate zip file
mmouly Nov 20, 2024
c9ea402
regenerate zip file
mmouly Nov 20, 2024
4edd8ee
remove bash on scripts
mmouly Nov 20, 2024
9d1533b
update jose lib version
mmouly Nov 20, 2024
42c3a00
missing AZUREAD_TENANT_ID
mmouly Nov 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 31 additions & 24 deletions authentication/AzureAD/README_WITH_CLIENT_SECRET.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@

1. Create the *ODM application*.

In **Azure Active Directory** / **App registration**, click **New Registration**:
In **Microsoft Entra Id** / **Manage** / **App registration**, click **New Registration**:

* Name: **ODM Application**
* Supported account types / Who can use this application or access this API?: select `Accounts in this organizational directory only (Default Directory only - Single tenant)`
Expand All @@ -36,7 +36,7 @@

2. Retrieve Tenant and Client information.

In **Azure Active Directory** / **App Registration**, select **ODM Application** and click **Overview**:
In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application** and click **Overview**:

* Application (client) ID: **Client ID**. It will be referenced as `CLIENT_ID` in the next steps.
* Directory (tenant) ID: **Your Tenant ID**. It will be referenced as `TENANT_ID` in the next steps.
Expand All @@ -45,7 +45,7 @@

3. Generate an OpenID client secret.

In **Azure Active Directory** / **App registrations**, select **ODM Application**:
In **Microsoft Entra Id** / **Manage** / **App registrations**, select **ODM Application**:

* From the Overview page, click on the link Client credentials: **Add a certificate or secret** or on the **Manage / Certificates & secrets** tab
* Click + New Client Secret
Expand All @@ -58,24 +58,24 @@

4. Add Claims.

In **Azure Active Directory** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**:
In **Microsoft Entra Id** / **Manage** / **App registrations**, select **ODM Application**, and in **Manage / Token Configuration**:

* Add Optional Email ID Claim
* Add Optional **email** ID Claim
* Click +Add optional claim
* Select ID
* Check Email
* Click Add

* Add Optional Email Access Claim
* Click +Add optional claim
* Select Access
* Check Email
* Check **email**
* Click Add

* Turn on Microsoft Graph email permission
* Check Turn on the Microsoft Graph email permission
* Click Add

* Add Optional **email** Access Claim
* Click +Add optional claim
* Select Access
* Check **email**
* Click Add

* Add Group Claim
* Click +Add groups claim
* Check Security Groups
Expand All @@ -85,19 +85,19 @@

To allow ODM rest-api to use the password flow with email as user identifier and the client-credentials flow with client_id as user identifier, we need to create a new claim named "identity" that will take the relevant value according to the flow:

In **Azure Active Directory** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**:
In **Microsoft Entra Id** / **Manage** / **Enterprise applications**, select **ODM Application**, and in **Manage / Single sign-on**:

* Click Edit in the "Attributes & Claims" section
* Click + Add new claim
* Name: identity
* Name: **identity**
* Fill 2 Claim conditions in the exact following order:
1. User Type: Any / Scoped Groups: 0 / Source: Attribute / Value: <CLIENT_ID>
2. User Type: Members / Scoped Groups: 0 / Source: Attribute / Value: user.mail
* Click Save

6. API Permissions.

In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **API Permissions**.
In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **API Permissions**.

* Click Grant Admin Consent for Default Directory

Expand All @@ -109,14 +109,21 @@

7. Manifest change.

In **Azure Active Directory** / **App Registration**, select **ODM Application**, and then click **Manifest**.
In **Microsoft Entra Id** / **Manage** / **App Registration**, select **ODM Application**, and then click **Manifest**.

The Manifest feature (a JSON representation of an app registration) is currently in transition.
[**AAD Graph app manifest**](https://learn.microsoft.com/en-us/entra/identity-platform/azure-active-directory-graph-app-manifest-deprecation) will be deprecated soon and not editable anymore starting 12/2/2024. It will be replaced by the **Microsoft Graph App Manifest**

As explained in [accessTokenAcceptedVersion attribute explanation](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#accesstokenacceptedversion-attribute), change the value to 2.

ODM OpenID Liberty configuration needs version 2.0 for the issuerIdentifier. See the [openIdWebSecurity.xml](templates/openIdWebSecurity.xml) file.

It is also necessary to set **acceptMappedClaims** to true to manage claims. Without this setting, you get the exception **AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.** when requesting a token.

With **Microsoft Graph App Manifest**:
* **acceptMappedClaims** is relocated as a property of the **api** attribute
* **accessTokenAcceptedVersion** is relocated as a property of the **api** attribute and renamed **requestedAccessTokenVersion**

Then, click Save.

8. Check the configuration.
Expand Down Expand Up @@ -318,7 +325,7 @@

```shell
kubectl create secret generic users-groups-synchro-secret \
--from-file=sidecar-start.sh \
--from-file=./output/sidecar-start.sh \
--from-file=generate-user-group-mgt.sh
```
> **Note**
Expand All @@ -340,7 +347,7 @@
```shell
helm search repo ibm-odm-prod
NAME CHART VERSION APP VERSION DESCRIPTION
ibm-helm/ibm-odm-prod 24.0.0 9.0.0.0 IBM Operational Decision Manager
ibm-helm/ibm-odm-prod 24.1.0 9.0.0.1 IBM Operational Decision Manager
```

### Run the `helm install` command
Expand Down Expand Up @@ -449,7 +456,7 @@ You can now install the product. We will use the PostgreSQL internal database an
- Decision Server Runtime redirect URI: `https://<INGRESS_ADDRESS>/DecisionService/openid/redirect/odm`
- Rule Designer redirect URI: `https://127.0.0.1:9081/oidcCallback`

From the Azure console, in **Azure Active Directory** / **App Registrations** / **ODM Application**:
From the Microsoft Azure console, in **Microsoft Entra Id** / **Manage** / **App Registrations** / **ODM Application**:

- Click the `Add a Redirect URI` link
- Click `Add Platform`
Expand Down Expand Up @@ -507,11 +514,11 @@ To manage ODM runtime call on the next steps, we used the [Loan Validation Decis

Import the **Loan Validation Service** in Decision Center connected using *myodmuser*@YOURDOMAIN created at step 2

![Import project](../Keycloak/images/import_project.png)
![Import project](images/import_project.png)

Deploy the **Loan Validation Service** production_deployment ruleapps using the **production deployment** deployment configuration in the Deployments>Configurations tab.

![Deploy project](../Keycloak/images/deploy_project.png)
![Deploy project](images/deploy_project.png)

You can retrieve the payload.json from the ODM Decision Server Console or use [the provided payload](payload.json).

Expand All @@ -520,7 +527,7 @@ As explained in the ODM on Certified Kubernetes documentation [Configuring user
You can realize a basic authentication ODM runtime call the following way:

```shell
$ curl -H "Content-Type: application/json" -k --data @payload.json \
curl -H "Content-Type: application/json" -k --data @payload.json \
-H "Authorization: Basic b2RtQWRtaW46b2RtQWRtaW4=" \
https://<DS_RUNTIME_HOST>/DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0
```
Expand All @@ -530,15 +537,15 @@ Where b2RtQWRtaW46b2RtQWRtaW4= is the base64 encoding of the current username:pa
But if you want to execute a bearer authentication ODM runtime call using the Client Credentials flow, you have to get a bearer access token:

```shell
$ curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \
curl -k -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d 'client_id=<CLIENT_ID>&scope=<CLIENT_ID>%2F.default&client_secret=<CLIENT_SECRET>&grant_type=client_credentials' \
'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token'
```

And use the retrieved access token in the following way:

```shell
$ curl -H "Content-Type: application/json" -k --data @payload.json \
curl -H "Content-Type: application/json" -k --data @payload.json \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
https://<DS_RUNTIME_HOST>/DecisionService/rest/production_deployment/1.0/loan_validation_production/1.0
```
Expand Down
Loading
Loading