In Stream Processor, user management is carried out through the Identity Provider Client (IdP Client) interface which can be switched as per the user scenario. Furthermore, a custom IdP Client can be written to encompass the needed user store connection and authentication.
Following are the IdP Clients available in the Stream Processor,
- Local IdP Client
- External IdP Client
IdP clients can be switched by the following configurations in the <SP_HOME>/conf/<PROFILE>/deployment.yaml file,
auth.configs: # Type of the IdP Client used for the user authentication type: local
'Local' IdP Client is active by default in the SP.
Local IdP Client
Local IdP Client interacts with the file based user store defined in the <SP_HOME>/conf/<PROFILE>/deployment.yaml under the “auth.configs" namespace as follows,
auth.configs:
type: 'local'
userManager:
adminRole: admin
userStore:
users:
-
user:
username: admin
password: YWRtaW4=
roles: 1
roles:
-
role:
id: 1
displayName: admin
The above user and role is added by default.
If new users/roles are added and the above default user and role are also needed, these must be added to the user store along with the added user/role.
The parameters used in the above configurations are,
| Parameter | Default Value | Description |
|---|---|---|
userManager > adminRole | admin | The name of the role that has administrator privileges. |
userManager > userStore > users > user > username |
| The username of the user. |
userManager > userStore > users > user > password |
| The encrypted password of the user. |
userManager > userStore > users > user > roles |
| Comma seperated list of the ids of the roles assigned to the user |
userManager > userStore > roles > role > id | 1 | The unique ID for the role. |
userManager > userStore > roles > role > admin | admin | The name of the role. |
Further more Local IdP Client functionalites can be changed through the properties defined in the <SP_HOME>/conf/<PROFILE>/deployment.yaml under the "auth.configs" namespace as follows,
auth.configs:
type: local
proerties:
sessionTimeout: 3600
refreshSessionTimeout: 86400
The parameters in the properties are,
| Parameter | Default Value | Description |
|---|---|---|
| properties > sessiontimeout | 3600 | Validity period of the session after user logs in in seconds |
properties > refreshSessionTimeout | 86400 | Validity period of the refrsh token used to extend the session in seconds |
Full default configuration of the 'Local' IdP Client are as follows,
auth.configs:
type: 'local'
proerties:
sessionTimeout: 3600
refreshSessionTimeout: 86400
userManager:
adminRole: admin
userStore:
users:
-
user:
username: admin
password: YWRtaW4=
roles: 1
roles:
-
role:
id: 1
displayName: admin
External IdP Client
External IdP Client authenticates users by interacting with and External Identity Provider using OAuth2 and SCIM2 protocols. User store is maintained by the external Identity Provider and SP will authenticate by requesting an access token from the Identity Provider using password grant type.
Identity Provider to which Stream Processor should interact should be started before the SP server.
User manger under 'auth.configs' namespace must be configured as below,
auth.configs:
type: external
authManager:
adminRole: admin
The parameters used in the above configurations are,
| Parameter | Default Value | Description |
|---|---|---|
userManager > adminRole | admin | The name of the role that has administrator privilages. |
Further more External IdP Client functionalites can be changed through the properties defined in the <SP_HOME>/conf/<PROFILE>/deployment.yaml under the "auth.configs" namespace as follows,
auth.configs: type: external properties: kmDcrUrl: https://localhost:9443/identity/connect/register kmTokenUrl: https://localhost:9443/oauth2 kmUsername: admin kmPassword: admin idpBaseUrl: https://localhost:9443/scim2 idpUsername: admin idpPassword: admin portalAppContext: portal statusDashboardAppContext: monitoring businessRulesAppContext : business-rules databaseName: WSO2_OAUTH_APP_DB cacheTimeout: 900 baseUrl: https://localhost:9643 grantType: password
Properties to be configured for the external IdP Client are as follows,
Property | Default Value | Description |
|---|---|---|
| kmDcrUrl | https://localhost:9443/identity/connect/register | The Dynamic Client Registration endpoint of the key manager in the IdP |
| dcrAppOwner | kmUsername | |
kmTokenUrl | https://localhost:9443/oauth2 | The token endpoint of the key manager in the IdP |
kmUsername | admin | Username for the key manager in the IdP |
kmPassword | admin | Password for the key manager in the IdP |
idpBaseUrl | https://localhost:9443/scim2 | SCIM2 endpoint of the IdP |
idpUsername | admin | Username for the IdP |
idpPassword | admin | Password for the IdP |
portalAppContext | portal | App context of the dashboard app in the SP |
statusDashboardAppContext | monitoring | App context of the status dashboard app in the SP |
businessRulesAppContext | business-rules | App context of the business rules app in the SP |
| databaseName | WSO2_OAUTH_APP_DB | Name of the wso2.datasource used to store OAuth app credential |
| cacheTimeout | 900 | Cache of tokens validity period in seconds. |
baseUrl | https://localhost:9643 | Base URL to which the token should be redirected after the code returned from the'Authorization Code' grant type is used to get the token. |
grantType | password | Grant type used in the OAuth app token request. |
spClientId/ portalClientId/statusDashboardClientId/ businessRulesClientId | N/A | Client Id of the OAuth App, If left empty, DCR will be called to register the app and persist the client id in the data store. |
spClientId/ portalClientId/statusDashboardClientId/ businessRulesClientId | N/A | Client Secret of the OAuth App, If left empty, DCR will be called to register the app and persist the client secrect in the data store |
Writing custom IdP Client
When writtig custom IdP client, two interfaces must be implemented namely,
- IdPClientFactory - A Factory OSGi service that will initialte the custom IdPClient using the properties from IdPClientConfiguration
- IdPClient - An interface with functions to provide user authentication and retrieval by the other services.