I would like to use OpenID connect from a 3th party application to Indicium. Since IAM is able to be set up as OpenID client this should be possible.
I've created a user that contains the credentials and setup the OpenID client and Resouce in IAM. However I am not able to create a connection in postman. I do get the login screen
>base]/indicium/account/ui/login
But once I login it just stays on the logout screen. I probably did not configure it correctly. Who is able to help me out with this?
What do I need to fill out in these fields:
Page 1 / 1
Hi Kasper,
I used Insomnia for this and configured it like the screenshot below:
The scope full_api_access is only needed if you want to call the indicium api. I hope the screenshot helps with configuring Postman!
The client_id "dvdb” is configured in IAM with the secret "123” and redirect url "http://test.local/foo/”.
Also it is documented how to connect with Insomnia there!
Nice, this does look promising.
However all the documentation on this is Deprecated in favor of doing it directly from IAM since the latest version of Thinkwise 2022.2. I can't seem to find the auth and token url's from Indicium for this new configuration.
Hi Kasper,
The topic API access example which I linked to is not deprecated but I can see why it is a bit confusing.
After you added clients in IAM, you automatically will have the <serverurl>/.well-known/openid-configuration configuration endpoint. There you can find the url's but they should be the same as in my screenshot.
The authorization url and token url are the same as in the previous version. So from the screenshot I posted, you only have to replace https://local_host:5001/ with your server url (and maybe you have to add your Indicium path, depending on where your Indicium is located).
Once you added clients to IAM, you should restart Indicium or it won't pick up the new clients.
Ah the restart makes sense, I did not do that yet.
2022-12-22T14:54:35.1734926+00:00 WRN] No persistent storage location for dataprotection is configured. The Encrypt and Decrypt process actions are disabled. See the Thinkwise documentation on how to configure dataprotection. (cecad728)
For now I have removed the config and Inidcium starts again. I will continue to look into this in January. Can you confirm that this error is going to be solved by setting up the keyvault?
Ah, I didn't know you were running in Azure. The 503 probably has a different reason.
In this case probably the error is not the data protection but something else. If you open Azure Kudu (you can find this in the Azure Portal for your App Service under "Advanced Tools”).
There you press "Debug console” and in my case I used “PowerShell”. In the new screen you can see the folder "Logfiles” and there should be an eventlog.xml. I suspect it contains Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException or something like that.
Indicium tries to generate a certificate, which is required when you add OpenID clients, which fails in Azure. To fix it, you can add the following configuration to your App Service.
The name of the key must be: website_load_certificates and the value must be a * and not a thumbprint, because Indicium is generating the certificate. This is something that we might improve in the future. Also the App service plan must be basic or higher for it to work.
I will create a issue to also add this in the documentation - because I could not find it yet.
Thanks, this indeed is not in the documentation. I will try this when I'm back in the office :)
Thanks Dick, I think I am almost there. I do have the /.well-known/ path and info on what I can send. I am able to authenticate myself, login and retrieve a token. However, when I try to send a request with this token I get the following error:
WWW-Authenticate: Bearer error="invalid_token", error_description="The signature is invalid"
On the right hand side, you can see the "kid” and the "x5t” - are they the same as you can find here: <server_url>/.well-known/openid-configuration/jwks?
Just to make sure, what is your value for BearerTokenAuthority in appsettings.json? It should be the <server_url> from above without the last part and must be https.
Thanks, I did not configure the BearerTokenAuthority in appsettings.json. After I added it and restarted everything it works! I checked the values you mentioned and after restart they were the same.
To conclude the topic, first: Thanks Dick for the help!
All answers were best answers since I had to add them all. For future reference:
1. Configure in indicium appsettings.json: BearerTokenAuthority: <serverurl> (and add the path to indicium when indicium runs in /indicium)
2. Add configuration in the Azure App Service Engine: name: website_load_certificates value: *
3. Add in IAM the client info that you want to have