-
Notifications
You must be signed in to change notification settings - Fork 829
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'develop' of github.com:cloudfoundry/uaa into strehle/fi…
…x/oauth_error * 'develop' of github.com:cloudfoundry/uaa: Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (#1639) Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (#1638) fix generateDocs PKCE support in IDP (OIDC) proxy authorization flow (#1606) fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (#1632) fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (#1633)
- Loading branch information
Showing
16 changed files
with
216 additions
and
61 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Registering Okta as external, public OIDC provider in UAA | ||
|
||
Okta can be setup as an [OIDC provider](https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/configure-idp-in-okta/) for UAA login. | ||
In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the | ||
external OIDC provider with a public client. | ||
|
||
1. Create an OIDC application and set it with [PKCE public](https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#use-pkce-to-make-your-apps-more-secure). | ||
Register the "Redirect URIs" in the application section "OpenID Connect Configuration" | ||
|
||
Add following URI in list field: | ||
`http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://developer.okta.com/docs/guides/implement-auth-code-pkce/overview/). | ||
|
||
2. Copy client id. | ||
|
||
3. Minimal OIDC configuration needs to be added in login.ym. | ||
Read configuration refer to 'https://<your-tenant>.okta.com/.well-known/openid-configuration' for discoveryUrl and issuer | ||
|
||
login: | ||
oauth: | ||
providers: | ||
okta.public: | ||
type: oidc1.0 | ||
discoveryUrl: https://trailaccount.okta.com/.well-known/openid-configuration | ||
issuer: https://trailaccount.okta.com | ||
scopes: | ||
- openid | ||
linkText: Login with Okta-Public | ||
showLinkText: true | ||
relyingPartyId: 0iak4aiaC4HV39L6g123 | ||
|
||
4. Ensure that the scope `openid` is included in the`scopes` property. | ||
|
||
5. Restart UAA. You will see `Login with Okta-Public` link on your login page. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Registering SAP IAS as external, public OIDC provider in UAA | ||
|
||
SAP IAS can be setup as an [OIDC provider](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a789c9c8c0f5439da8c30b5d9e43bece.htm) for UAA login. | ||
In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the | ||
external OIDC provider with a public client. | ||
|
||
1. Create an OIDC application and set it with [type public](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a721157cd40544eb9bad40085cf8ec15.html). | ||
Register the "Redirect URIs" in the application section "OpenID Connect Configuration" | ||
|
||
Add following URI in list field: | ||
`http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1ae324ee3b2d4a728650eb022d5fd910.html). | ||
|
||
2. Copy client id. | ||
|
||
3. Minimal OIDC configuration needs to be added in login.ym. | ||
Read configuration refer to '[https://<tenant ID>.accounts.ondemand.com/.well-known/openid-configuration](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/c297516bae4547eb82eeed80fea2b937.html)' for discoveryUrl and issuer | ||
|
||
login: | ||
oauth: | ||
providers: | ||
ias.public: | ||
type: oidc1.0 | ||
discoveryUrl: https://trailaccount.accounts.ondemand.com/.well-known/openid-configuration | ||
issuer: https://trailaccount.accounts.ondemand.com | ||
scopes: | ||
- openid | ||
- profile | ||
linkText: Login with IAS-Public | ||
showLinkText: true | ||
relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123 | ||
|
||
4. Ensure that the scope `openid`, `email` and `profile` is included in the`scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is created | ||
with all properties. | ||
|
||
5. Restart UAA. You will see `Login with IAS-Public` link on your login page. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.