Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin' into passcode2clipboard
Browse files Browse the repository at this point in the history
* origin:
  fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.5.0.RELEASE to 2.5.1.RELEASE (#1642)
  [Snyk] Upgrade com.unboundid.product.scim:scim-sdk from 1.8.24 to 1.8.25 (#1634)
  Bump k8s.io/client-go from 0.21.3 to 0.22.0 in /k8s (#1639)
  Bump k8s.io/api from 0.21.3 to 0.22.0 in /k8s (#1638)
  fix generateDocs
  PKCE support in IDP (OIDC) proxy authorization flow (#1606)
  fix: upgrade org.springframework.security.oauth:spring-security-oauth2 from 2.4.0.RELEASE to 2.5.1.RELEASE (#1632)
  fix: upgrade org.passay:passay from 1.2.0 to 1.6.0 (#1633)
  • Loading branch information
strehle committed Aug 6, 2021
2 parents 67e9d46 + eeec3c4 commit 8ded040
Show file tree
Hide file tree
Showing 17 changed files with 219 additions and 64 deletions.
2 changes: 1 addition & 1 deletion dependencies.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ libraries.tomcatEmbed = "org.apache.tomcat.embed:tomcat-embed-core"
libraries.tomcatJasperEl = "org.apache.tomcat.embed:tomcat-embed-jasper"
libraries.tomcatJdbc = "org.apache.tomcat:tomcat-jdbc"
libraries.unboundIdLdapSdk = "com.unboundid:unboundid-ldapsdk"
libraries.unboundIdScimSdk = "com.unboundid.product.scim:scim-sdk:1.8.24"
libraries.unboundIdScimSdk = "com.unboundid.product.scim:scim-sdk:1.8.25"
libraries.velocity = "org.apache.velocity:velocity-engine-core:2.2"
libraries.zxing = "com.google.zxing:javase:3.4.0"
libraries.nimbusJwt = "com.nimbusds:nimbus-jose-jwt"
Expand Down
33 changes: 33 additions & 0 deletions docs/okta-public-oidc-provider.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Registering Okta as external, public OIDC provider in UAA

Okta can be setup as an [OIDC provider](https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/configure-idp-in-okta/) for UAA login.
In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the
external OIDC provider with a public client.

1. Create an OIDC application and set it with [PKCE public](https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#use-pkce-to-make-your-apps-more-secure).
Register the "Redirect URIs" in the application section "OpenID Connect Configuration"

Add following URI in list field:
`http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://developer.okta.com/docs/guides/implement-auth-code-pkce/overview/).

2. Copy client id.

3. Minimal OIDC configuration needs to be added in login.ym.
Read configuration refer to 'https://<your-tenant>.okta.com/.well-known/openid-configuration' for discoveryUrl and issuer

login:
oauth:
providers:
okta.public:
type: oidc1.0
discoveryUrl: https://trailaccount.okta.com/.well-known/openid-configuration
issuer: https://trailaccount.okta.com
scopes:
- openid
linkText: Login with Okta-Public
showLinkText: true
relyingPartyId: 0iak4aiaC4HV39L6g123

4. Ensure that the scope `openid` is included in the`scopes` property.

5. Restart UAA. You will see `Login with Okta-Public` link on your login page.
36 changes: 36 additions & 0 deletions docs/sap-public-oidc-provider.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Registering SAP IAS as external, public OIDC provider in UAA

SAP IAS can be setup as an [OIDC provider](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a789c9c8c0f5439da8c30b5d9e43bece.htm) for UAA login.
In order to prevent storing a client secret in UAA configuration and all of it's successor problems like secret rotation and so on, register the
external OIDC provider with a public client.

1. Create an OIDC application and set it with [type public](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/a721157cd40544eb9bad40085cf8ec15.html).
Register the "Redirect URIs" in the application section "OpenID Connect Configuration"

Add following URI in list field:
`http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1ae324ee3b2d4a728650eb022d5fd910.html).

2. Copy client id.

3. Minimal OIDC configuration needs to be added in login.ym.
Read configuration refer to '[https://<tenant ID>.accounts.ondemand.com/.well-known/openid-configuration](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/c297516bae4547eb82eeed80fea2b937.html)' for discoveryUrl and issuer

login:
oauth:
providers:
ias.public:
type: oidc1.0
discoveryUrl: https://trailaccount.accounts.ondemand.com/.well-known/openid-configuration
issuer: https://trailaccount.accounts.ondemand.com
scopes:
- openid
- email
- profile
linkText: Login with IAS-Public
showLinkText: true
relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123

4. Ensure that the scope `openid`, `email` and `profile` is included in the`scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is created
with all properties.

5. Restart UAA. You will see `Login with IAS-Public` link on your login page.
6 changes: 3 additions & 3 deletions k8s/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ require (
github.com/onsi/ginkgo v1.16.4
github.com/onsi/gomega v1.14.0
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.21.3
k8s.io/apimachinery v0.21.3
k8s.io/client-go v0.21.3
k8s.io/api v0.22.0
k8s.io/apimachinery v0.22.0
k8s.io/client-go v0.22.0
)
Loading

0 comments on commit 8ded040

Please sign in to comment.