FIspaceSPT

Seyhun Futaci

Technology behind FIspace Authentication and Authorization

IDM service of Fispace provides SSO solution for web apps, mobile and RESTful web services. It is an authentication server where users can centrally login, logout, register, and manage their user accounts.

Security components provide federative IDM solution using separate domains. Each domain secures and manages security metadata for a set of users, applications, and registered oauth clients.

Access tokens are used to secure web invocations. Access tokens contains security metadata specifying the identity of the user as well as the role mappings for that user.

Features provided by FIspace

• SSO and Single Log Out for browser applications• Social Login using Google• User Registration• Forgot password support. User can have an email sent to them• User session management. Admin can view user sessions and what

applications/clients have an access token. Sessions can be invalidated per realm or per user.

• Integrated Browser App to REST Service token propagation• OAuth Bearer token auth for REST Services• OAuth 2.0 Grant requests• SAML Support.• Completely centrally managed user and role mapping metadata. Minimal

configuration at the application side

What happens?

Client

Resource Owner

Authentication Server

Resource Server

Authentication Request

Authentication Grant

Authentication Grant

Access Token

Access Token

Protected Resource

What do you need to Configure you App?

• Basic understanding of oauth• Registered user with an “app developer” role• Registered application on Keycloak• Proper keycloak.json file –unique to your

application-

Sample keycloak.json

{"realm": "fispace","realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB","auth-server-url": "https://37.131.251.129:8443/auth","ssl-required": "none","resource": "fispace-frontend","credentials": { "secret": "028d7825-2bb8-480d-ac0c-6c41e1aab6de”}}

Step by Step

• Create a new user• Request an “app developer” role using email

address fispace-user-mgmt@fispace.eu• Register your application using Developer zone

on FIspace frontend.• Retrieve keycloak.json file unique to your

application

Step by Step

Click “Login” and start with the authentication steps.

How to login FIspace platform using EE?

On IDM server either login with an already registered user or create a new one.

Accessing Developers Zone

Once your request is granted by the FIspace administration for accessing the Developers zone you will see the “Developers Zone” link on Frontend.

Register your Application

Simply enter the requested information and register your application.

Get keycloak.json file

Get the keycloak.json file for your registered application

Adapters

Keycloak can secure a wide variety of Java applications. However you need to use Keycloak adapters to secure your applications. • Adapters can be downloaded at Keycloak official website.• Adapters are unique to web server as well as the version of

Keycloak. – Experimentation Environment currently uses Keycloak

1.0.4.– In Preliminary Integration Environment FIspace team is

testing 1.1.0• Keycloak adapter needs to be defined as dependency for your

application. • For any programming language, an outh2 library would be

sufficient to create authentication for your application.

How to Integrate Widgets? Pre-requisites…

The Keycloak Server comes with a Javascript adapter which is a library you can use to secure pure HTML/Javascript applications. http://<keycloak server>/auth/js/keycloak.jsWhat do you need?• Basic understanding of Javascript and HTML• Keycloak.json file created using FIspace frontend. • Config.xml file created using FIspace Studio. • JQuery JS Library

How to Integrate Widgets?

After generating config.xml using FIspace Studio, create an HTML file like below to see if the user is authenticated.

Properties

Object• authenticated - true if the user is authenticated• token - the base64 encoded token that can be sent in the Authorization

header in requests to services• tokenParsed - the parsed token• subject - the user id

Parsed Token• name• nickname • preferred_username • Profile

More information can be found at https://bitbucket.org/fispace/core/wiki/Home

Thank you

Contributors:Serdar Arslan

Engin Dagdeviren