problème de mise en place d'OIDC non keycloak #900
Comments
|
I think OIDC configuration should be at the API level as indicated in this snippet On a private instance, the configuration fetched from API gives all the oidc info in order to authenticate users. The oidc configuration in ui is needed to provides the multiple tokens (s3, kubernetes, vault) to the users. |
|
@micedre, actually @BertrandPerrin copy/pasted the response of the I think he did configure the Onyxia correctly upstream. |
|
Right, my bad :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bonjour,
j'essaie de mettre en place une authentification OIDC hors keycloak.
l'authentification n'aboutit pas car le client (front) ne fait jamais appel au "token_endpoint" défini dans la configuration.
La demande de mire et l'authentification semble bien se passer on peut le constater dans l'enchainement des requêtes présentés ci-après.
l'appel à la configuration de l'api se passe bien... mais pas d'appel à la configuration de le oidc et pas d'appel au service token
NB: pour info, dans le cas de keycloak on voit très bien cet appel
la conf oidc dans la chart helm de l'api est la suivante:
{ "build":{ "version":"v4.1.0", "timestamp":1732627631 }, "regions":[ { "services":{ "singleNamespace":true, "allowNamespaceCreation":true, "namespaceLabels":{ }, "namespaceAnnotations":{ }, "userNamespace":true, "namespacePrefix":"user-", "groupNamespacePrefix":"projet-", "authenticationMode":"serviceAccount", "expose":{ "domain":"ide.bad06-e99-290.val.cl1.arkea.com", "useDefaultCertificate":true, "annotations":{ }, "ingress":false, "route":false, "istio":{ "enabled":true, "gateways":[ "arkea-ad06/onyxia-exposition-ide-val-istio-service" ] } }, "allowedURIPattern":"^https://", "quotas":{ "userEnabled":false, "groupEnabled":false, "roles":{ } }, "k8sPublicEndpoint":{ }, "namespaceAnnotationsDynamic":{ "enabled":true, "userAttributes":[ ] } }, "data":{ } } ], "oidcConfiguration":{ "issuerURI":"https://identity.hml.arkea.com/cas/oidc", "clientID":"vDuVXshforE5mYoeYY3settZ47TWKrKRee3RLvn6WEErHHQKWAj987YvSjLEW2zE", "extraQueryParams":"" } }la config oidc de l'identity provider est la suivante:
{ "issuer":"https://identity.hml.arkea.com/cas/oidc", "scopes_supported":[ "openid", "profile", "email", "address", "phone", "userRights" ], "response_types_supported":[ "code", "token", "id_token token" ], "subject_types_supported":[ "public", "pairwise" ], "claim_types_supported":[ "normal" ], "claims_supported":[ "sub", "name", "preferred_username", "family_name", "middle_name", "given_name", "profile", "efs", "structure", "delegationLevel", "picture", "nickname", "website", "zoneinfo", "locale", "updated_at", "birthdate", "email", "email_verified", "phone_number", "phone_number_verified", "address", "usr_rights", "role", "groups" ], "grant_types_supported":[ "authorization_code", "password", "client_credentials", "refresh_token" ], "id_token_signing_alg_values_supported":[ "none", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512" ], "id_token_encryption_alg_values_supported":[ "RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW" ], "id_token_encryption_enc_values_supported":[ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ], "userinfo_signing_alg_values_supported":[ "none", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512" ], "userinfo_encryption_alg_values_supported":[ "RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW" ], "userinfo_encryption_enc_values_supported":[ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ], "acr_values_supported":[ "mfa-simple", "mfa-webauthn", "mfa-gauth", "mfa-radius" ], "request_object_signing_alg_values_supported":[ "none", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512" ], "request_object_encryption_alg_values_supported":[ "RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "A128GCMKW", "A192GCMKW", "A256GCMKW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW" ], "request_object_encryption_enc_values_supported":[ "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM" ], "introspection_endpoint_auth_methods_supported":[ "client_secret_basic" ], "token_endpoint_auth_methods_supported":[ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt" ], "code_challenge_methods_supported":[ "plain", "S256" ], "claims_parameter_supported":true, "request_uri_parameter_supported":true, "request_parameter_supported":true, "backchannel_logout_supported":true, "frontchannel_logout_supported":true, "authorization_endpoint":"https://identity.hml.arkea.com/cas/oidc/oidcAuthorize", "token_endpoint":"https://identity.hml.arkea.com/cas/oidc/oidcAccessToken", "userinfo_endpoint":"https://identity.hml.arkea.com/cas/oidc/oidcProfile", "pushed_authorization_request_endpoint":"https://identity.hml.arkea.com/cas/oidc/oidcPushAuthorize", "registration_endpoint":"https://identity.hml.arkea.com/cas/oidc/register", "end_session_endpoint":"https://identity.hml.arkea.com/cas/oidc/oidcLogout", "introspection_endpoint":"https://identity.hml.arkea.com/cas/oidc/introspect", "revocation_endpoint":"https://identity.hml.arkea.com/cas/oidc/revoke", "backchannel_logout_session_supported":true, "frontchannel_logout_session_supported":true, "jwks_uri":"https://identity.hml.arkea.com/cas/oidc/jwks" }The text was updated successfully, but these errors were encountered: