Versions Compared

Old Version 1

changes.mady.by.user DevPortal Editor

Saved on

compared with

New Version Current

changes.mady.by.user Onesait Platform

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

EN | ES

Also see

See also

(Security)

Realms management via REST services

onesait Platform is ready preapred to work as an OAuth2 Server for external applications.

In this example, we will configure a realm in the Open Platform and we will authenticate against it through REST services.

Realm Configuration

Firstly, access the platform as a with the developer role, and access My Realms section in the Development menu.

HereIn this screen, click thebutton and fill the form with Application details: realm's unique identifier, name and a description. Secret and Token validity seconds are non required attributes associated with Oauth2 Authentication. 

Once the details general data are completed, you can start defining the roles within the Realm.  You can define as many roles as needed.

All changes will be stored by clicking the Image Removed buttonwhen you click on Image Added. A new Realm will be created (and the creator user will be its owner).



Adding Users to the Realms and

assign

assigning Roles

Once the Realm is created, the owner user (or an any user with developer role) can register users to the realm.

To do so, you have to edit the Realm, by clicking on the edit button  on the corresponding line of the Realm list.



Then, access the tab to register users:


In this section, you can register users can be registered, assigning them an associated Realm's Role. An user can be registered with several diferent Realm's Role.image2019-2-1_15-34-46.pngImage Removeda role in the realm. A single user can register with several Roles in the Realm.

Select the user and the Realm's Role Role in the Realm, and click  

Once an user has been registered, it can be eliminated, deleted by clicking on the button.


For To store this modificationthe changes, select the the  tab and click on 

Mapping registered Users in a LDAP

Users

.

If LDAP authentication is used in your deployed platform, you will see a checkbox in the User Assignment tab. You can search and import LDAP users, as well as existing LDAP groups.

Check it. Now By checking this box, you can search by DN users and groups.

If you want to import LDAP users, fill the underneath 'USERS DN BASE' with the DN. This operation will search all users belonging to that DN.


The same can be done for groups.

When you map an LDAP group with is mapped to a ROLE, all group users will be created in on the platform an associated with this ROLEthat role.

Realm Associations

To establish a hierarchy , an association of Realms, you can define associations between Realms can be defined.

When you established this association, a mapping will be created between the roles in this realm and the roles in the associated realm. So, when an user authenticates to the Realm, it gets the Realm's Roles and all the Roles mapped form Associated Realmsestablishing an association between realms, you must create a mapping between the Realm roles and the associated Realm roles. Thus, when a user authenticates against a Realm, she will get the roles of the Realm and the roles of the associated role that are mapped.

To establish the an association, first select a Role from the Realm. Then select an associated Realm, then select the Realm to be associated. Once this the Realm is selected, you will see a combo will apear including all its Roleswith all the Realms that can be associated.

To finish end the association, select a Role and click 

The association is will be added to the list. Multiple association between Roles can be defined. To remove an association, click button

When all the changes are made, return to the first tab and click thebutton to save the changes.


OAuth2 Authentication

To authenticate the user, using the created Realm, you must make call to a POST call REST service to https://www.onesaitplatform.online/controlpanel/oauth-server/oauth/token

This call must be authenticated REST request must include authentication parameters using Basic Auth with the realm Realm id as and the default username and the default password onesaitplatform password (onesaitplatform) (It can be configured on in the Realm definition, see above).

Using Postman, it the request should look like this:


Image Modified

Introduce In the body of the request, you must enter the authentication parameters in the body:

  • grant_type: password
  • username: the name of the user to be authenticatedauthenticate.
  • password: the password associated to of the user to authenticate.
  • clientId: your realm's id.
  • scope: openid



When sending this, you should receive as a response a JSON with all the relevant information about the login, including username the user (as name or principal), access_token, Realm Id (as clientId), list of roles of the logged user (as authorities) and a list of associated realms (apps) and the roles that the user has in each of them.

The following is an example of a token response:



This is the same example using curl:


Code Block
languagebash
firstline1
titlecurl example
linenumberstrue
curl \
--user "ExampleRealm:onesaitplatform" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=developer&password=your_password&clientId=ExampleRealm&scope=openid" \
-X POST https://www.onesaitplatform.online/controlpanel/oauth-server/oauth/token \
--insecure


You can validate a token against the server by sending a GETrequest against to the endpoint https://www.onesaitplatform.online/controlpanel/oauth-server/openplatform-oauth/check_token with the token as parameter and Basic Auth.basic authentication parameter:


Image Modified


The response should be a JSON with the basic information of the token info:



This is the same example with curl:


Code Block
languagebash
firstline1
titleExample with Curl
linenumberstrue
curl \
--user "ExampleRealm:onesaitplatform" \
-d "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcmluY2lwYWwiOiJkYXRhaGlzdG9yaWFuIiwiY2xpZW50SWQiOiJkYXRhaGlzdG9yaWFuIiwidXNlcl9uYW1lIjoiZGF0YWhpc3RvcmlhbiIsInNjb3BlIjpbIm9wZW5pZCJdLCJuYW1lIjoiZGF0YWhpc3RvcmlhbiIsImV4cCI6MTU0MzM1NzkzOSwiZ3JhbnRUeXBlIjoicGFzc3dvcmQiLCJwYXJhbWV0ZXJzIjp7ImNsaWVudElkIjoiZGF0YWhpc3RvcmlhbiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJuYW1lIjoiZGF0YWhpc3RvcmlhbiIsInNjb3BlIjoib3BlbmlkIn0sImF1dGhvcml0aWVzIjpbImFkbWluIl0sImp0aSI6Ijc5ZGQzNTI3LTFhNDMtNDQ5NS1hN2EwLWI1NTcyZjQ0MDYzZSIsImNsaWVudF9pZCI6ImRhdGFoaXN0b3JpYW4iLCJhcHBzIjp7fX0.7v5Owv_soQk5wkCE1NOJED6Soncpylo7K5KurNjg1M0"  \ 
-X GET https://www.onesaitplatform.online/controlpanel/oauth-server/openplatform-oauth/check_token \
--insecure