OpenID for 3th party applications

Hi Kasper,

I used Insomnia for this and configured it like the screenshot below:

The scope full_api_access is only needed if you want to call the indicium api.
I hope the screenshot helps with configuring Postman!

The client_id "dvdb” is configured in IAM with the secret "123” and redirect url "http://test.local/foo/”.

If you need to call the Indicium API, you also need to set the BearerTokenAuthority as documented here:
https://docs.thinkwisesoftware.com/docs/deployment/indicium_openid#api-access-example

Also it is documented how to connect with Insomnia there!

Nice, this does look promising.

However all the documentation on this is Deprecated in favor of doing it directly from IAM since the latest version of Thinkwise 2022.2. I can't seem to find the auth and token url's from Indicium for this new configuration.

Hi Kasper,

The topic API access example which I linked to is not deprecated but I can see why it is a bit confusing.

After you added clients in IAM, you automatically will have the <serverurl>/.well-known/openid-configuration configuration endpoint. There you can find the url's but they should be the same as in my screenshot.

The authorization url and token url are the same as in the previous version. So from the screenshot I posted, you only have to replace https://local_host:5001/  with your server url (and maybe you have to add your Indicium path, depending on where your Indicium is located).

Once you added clients to IAM, you should restart Indicium or it won't pick up the new clients.

Ah the restart makes sense, I did not do that yet. 

After the restart indicium did not start anymore, ik keep getting a 503 error without anything in the logs except for. I think that I need to configure a keyvault in Azure. (https://docs.thinkwisesoftware.com/docs/deployment/indicium_encryption#store-encryption-keys-on-azure)

2022-12-22T14:54:35.1734926+00:00  [WRN] No persistent storage location for dataprotection is configured. The Encrypt and Decrypt process actions are disabled.
See the Thinkwise documentation on how to configure dataprotection. (cecad728)

For now I have removed the config and Inidcium starts again. I will continue to look into this in January.  Can you confirm that this error is going to be solved by setting up the keyvault?

Ah, I didn't know you were running in Azure. The 503 probably has a different reason.

In this case probably the error is not the data protection but something else. If you open Azure Kudu (you can find this in the Azure Portal for your App Service under "Advanced Tools”).

There you press "Debug console” and in my case I used “PowerShell”. In the new screen you can see the folder "Logfiles” and there should be an eventlog.xml. I suspect it contains Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException or something like that.

Indicium tries to generate a certificate, which is required when you add OpenID clients, which fails in Azure. To fix it, you can add the following configuration to your App Service. 

The name of the key must be: website_load_certificates and the value must be a * and not a thumbprint, because Indicium is generating the certificate. This is something that we might improve in the future. Also the App service plan must be basic or higher for it to work.

I will create a issue to also add this in the documentation - because I could not find it yet.

Thanks, this indeed is not in the documentation. I will try this when I'm back in the office :) 

Thanks Dick, I think I am almost there. I do have the /.well-known/ path and info on what I can send. I am able to authenticate myself, login and retrieve a token. However, when I try to send a request with this token I get the following error:

WWW-Authenticate: Bearer error="invalid_token", error_description="The signature is invalid"

Can you try pasting your access token in: https://jwt.io/

On the right hand side, you can see the "kid” and the "x5t” - are they the same as you can find here: <server_url>/.well-known/openid-configuration/jwks?

Just to make sure, what is your value for BearerTokenAuthority in appsettings.json? It should be the <server_url> from above without the last part and must be https.

Thanks, I did not configure the BearerTokenAuthority in appsettings.json. After I added it and restarted everything it works! I checked the values you mentioned and after restart they were the same.