Solved

OpenID for 3th party applications

  • 21 December 2022
  • 10 replies
  • 207 views
Kasper Reijnders
Userlevel 4
Badge +5

I would like to use OpenID connect from a 3th party application to Indicium. Since IAM is able to be set up as OpenID client this should be possible. 

I've created a user that contains the credentials and setup the OpenID client and Resouce in IAM. However I am not able to create a connection in postman. I do get the login screen

[base]/indicium/account/ui/login

But once I login it just stays on the logout screen. I probably did not configure it correctly. Who is able to help me out with this?

What do I need to fill out in these fields:

 

icon

Best answer by Kasper Reijnders 2 January 2023, 20:31

View original
This topic has been closed for comments

10 replies

D
Rank
Userlevel 4
Badge +2

Hi Kasper,

I used Insomnia for this and configured it like the screenshot below:

 

The scope full_api_access is only needed if you want to call the indicium api.
I hope the screenshot helps with configuring Postman!

The client_id "dvdb” is configured in IAM with the secret "123” and redirect url "http://test.local/foo/”.

If you need to call the Indicium API, you also need to set the BearerTokenAuthority as documented here:
https://docs.thinkwisesoftware.com/docs/deployment/indicium_openid#api-access-example

Also it is documented how to connect with Insomnia there!

Kasper Reijnders
Userlevel 4
Badge +5

Nice, this does look promising.

However all the documentation on this is Deprecated in favor of doing it directly from IAM since the latest version of Thinkwise 2022.2. I can't seem to find the auth and token url's from Indicium for this new configuration.

D
Rank
Userlevel 4
Badge +2

Hi Kasper,

The topic API access example which I linked to is not deprecated but I can see why it is a bit confusing.

After you added clients in IAM, you automatically will have the <serverurl>/.well-known/openid-configuration configuration endpoint. There you can find the url's but they should be the same as in my screenshot.


The authorization url and token url are the same as in the previous version. So from the screenshot I posted, you only have to replace https://local_host:5001/  with your server url (and maybe you have to add your Indicium path, depending on where your Indicium is located).

Once you added clients to IAM, you should restart Indicium or it won't pick up the new clients.

Kasper Reijnders
Userlevel 4
Badge +5

Ah the restart makes sense, I did not do that yet. 

After the restart indicium did not start anymore, ik keep getting a 503 error without anything in the logs except for. I think that I need to configure a keyvault in Azure. (https://docs.thinkwisesoftware.com/docs/deployment/indicium_encryption#store-encryption-keys-on-azure)

2022-12-22T14:54:35.1734926+00:00  [WRN] No persistent storage location for dataprotection is configured. The Encrypt and Decrypt process actions are disabled.
See the Thinkwise documentation on how to configure dataprotection. (cecad728)

 

For now I have removed the config and Inidcium starts again. I will continue to look into this in January.  Can you confirm that this error is going to be solved by setting up the keyvault?

D
Rank
Userlevel 4
Badge +2

Ah, I didn't know you were running in Azure. The 503 probably has a different reason.

In this case probably the error is not the data protection but something else. If you open Azure Kudu (you can find this in the Azure Portal for your App Service under "Advanced Tools”).

There you press "Debug console” and in my case I used “PowerShell”. In the new screen you can see the folder "Logfiles” and there should be an eventlog.xml. I suspect it contains Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException or something like that.

Indicium tries to generate a certificate, which is required when you add OpenID clients, which fails in Azure. To fix it, you can add the following configuration to your App Service. 

The name of the key must be: website_load_certificates and the value must be a * and not a thumbprint, because Indicium is generating the certificate. This is something that we might improve in the future. Also the App service plan must be basic or higher for it to work.

I will create a issue to also add this in the documentation - because I could not find it yet.

Kasper Reijnders
Userlevel 4
Badge +5

Thanks, this indeed is not in the documentation. I will try this when I'm back in the office :) 

Kasper Reijnders
Userlevel 4
Badge +5

Thanks Dick, I think I am almost there. I do have the /.well-known/ path and info on what I can send. I am able to authenticate myself, login and retrieve a token. However, when I try to send a request with this token I get the following error:


WWW-Authenticate: Bearer error="invalid_token", error_description="The signature is invalid"

D
Rank
Userlevel 4
Badge +2

Can you try pasting your access token in: https://jwt.io/

On the right hand side, you can see the "kid” and the "x5t” - are they the same as you can find here: <server_url>/.well-known/openid-configuration/jwks?

Just to make sure, what is your value for BearerTokenAuthority in appsettings.json? It should be the <server_url> from above without the last part and must be https.

Kasper Reijnders
Userlevel 4
Badge +5

Thanks, I did not configure the BearerTokenAuthority in appsettings.json. After I added it and restarted everything it works! I checked the values you mentioned and after restart they were the same.

Kasper Reijnders
Userlevel 4
Badge +5

To conclude the topic, first: Thanks Dick for the help!

All answers were best answers since I had to add them all. For future reference:

1. Configure in indicium appsettings.json:
BearerTokenAuthority: <serverurl> (and add the path to indicium when indicium runs in /indicium)

2. Add configuration in the Azure App Service Engine:
name: website_load_certificates
value: *

3. Add in IAM the client info that you want to have

4. Do a reboot of the App Service Engine

After this it should work. :) 

5. Test

open: <serverurl>/.well-known/openid-configuration 

You'll need to use the indicium base path for the serverurl for example https://somesite.eu/indicum/.well-known/openid-configuration 

 

 

Terms & ConditionsCookie settings