Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

EN | ES

Also see: (Security) Realms management via REST services

onesait Platform is ready to work as an OAuth2 Server for external applications.

In this example, we will configure a realm in the Open Platform and we will authenticate against it through REST services.

Realm Configuration

Firstly, access the platform as a developer and access My Realms section in the Development menu.

Here, click thebutton and fill the form with Application details: realm's unique identifier, name and a description. Secret and Token validity seconds are non required attributes associated with Oauth2 Authentication. 

Once the details are completed, you can define as many roles as needed.

All changes will be stored by clicking the  button. A new Realm will be created.



Adding Users to the Realms and assign Roles

Once the Realm is created, the owner user (or an user with developer role) can register users to the realm.

To do so, you have to edit the Realm, by clicking on the edit button  on the Realm list.



Then, access the tab to register users:


In this section, users can be registered, assigning them an associated Realm's Role. An user can be registered with several diferent Realm's Role.

image2019-2-1_15-34-46.png

Select the user and the Realm's Role and click  

Once an user has been registered, it can be eliminated, by clicking on the button.


For store this modification, select the tab and click on 

Mapping LDAP Users

If LDAP authentication is used in your deployed platform, you will see a checkbox in the User Assignment tab. You can search and import LDAP users as well as LDAP groups.

Check it. Now you can search by DN users and groups.

If you want to import LDAP users, fill the underneath 'USERS DN BASE' with the DN. This operation will search all users belonging to that DN.


The same can be done for groups.

When you map an LDAP group with a ROLE, all group users will be created in the platform an associated with this ROLE.

Realm Associations

To establish a hierarchy, an association between Realms can be defined.

When you established this association, a mapping will be created between the roles in this realm and the roles in the associated realm. So, when an user authenticates to the Realm, it gets the Realm's Roles and all the Roles mapped form Associated Realms.

To establish the association, first select a Role from the Realm. Then select an associated Realm. Once this Realm is selected, a combo will apear including all its Roles.

To finish the association, select a Role and click 

The association is added to the list. Multiple association between Roles can be defined. To remove an association, click button

When all the changes are made, return to the first tab and click thebutton to save the changes.


OAuth2 Authentication

To authenticate the user, using the created Realm, you must make a POST call to https://www.onesaitplatform.online/controlpanel/oauth-server/oauth/token

This call must be authenticated using Basic Auth with the realm id as the username and the default password onesaitplatform (It can be configured on the Realm definition, see above).

Using Postman, it should look like this:



Introduce the authentication parameters in the body:

  • grant_type: password
  • username: the name of the user to be authenticated.
  • password: the password associated to the user.
  • clientId: your realm's id.
  • scope: openid



When sending this, you should receive a JSON with all the relevant information about the login, including username (as name or principal), access_token, Realm Id (as clientId), list of roles of the logged user (as authorities) and a list of associated realms (apps) and the roles that the user has in each of them.

The following is an example of a token response:



This is the same example using curl:


curl example
curl \
--user "ExampleRealm:onesaitplatform" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=developer&password=your_password&clientId=ExampleRealm&scope=openid" \
-X POST https://www.onesaitplatform.online/controlpanel/oauth-server/oauth/token \
--insecure


You can validate a token against the server by sending a GETrequest against https://www.onesaitplatform.online/controlpanel/oauth-server/openplatform-oauth/check_token with the token as parameter and Basic Auth.




The response should be a JSON with the basic token info:



This is the same example with curl:


Example with Curl
curl \
--user "ExampleRealm:onesaitplatform" \
-d "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcmluY2lwYWwiOiJkYXRhaGlzdG9yaWFuIiwiY2xpZW50SWQiOiJkYXRhaGlzdG9yaWFuIiwidXNlcl9uYW1lIjoiZGF0YWhpc3RvcmlhbiIsInNjb3BlIjpbIm9wZW5pZCJdLCJuYW1lIjoiZGF0YWhpc3RvcmlhbiIsImV4cCI6MTU0MzM1NzkzOSwiZ3JhbnRUeXBlIjoicGFzc3dvcmQiLCJwYXJhbWV0ZXJzIjp7ImNsaWVudElkIjoiZGF0YWhpc3RvcmlhbiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJuYW1lIjoiZGF0YWhpc3RvcmlhbiIsInNjb3BlIjoib3BlbmlkIn0sImF1dGhvcml0aWVzIjpbImFkbWluIl0sImp0aSI6Ijc5ZGQzNTI3LTFhNDMtNDQ5NS1hN2EwLWI1NTcyZjQ0MDYzZSIsImNsaWVudF9pZCI6ImRhdGFoaXN0b3JpYW4iLCJhcHBzIjp7fX0.7v5Owv_soQk5wkCE1NOJED6Soncpylo7K5KurNjg1M0"  \ 
-X GET https://www.onesaitplatform.online/controlpanel/oauth-server/openplatform-oauth/check_token \
--insecure
  • No labels