Versions Compared

Old Version 1

changes.mady.by.user Maciej Wojtasik

Saved on

compared with

New Version Current

changes.mady.by.user Geert Graat

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page describes REST service calls with OpenID Connect authentication, performed in automatic tasks.

An automatic task can be executed:

  • in the foreground, for example when it immediately follows a manual task, incoming message node, etc.
  • in the background, for example when it is triggered by a timer node or it is connected to the timer exit of another task

In both cases, the automatic task is executed by the automatic user. When a REST service call is made from the automatic task, and this REST service call is configured to use OpenID Connect authentication, the Runtime obtains an access token for the Runtime Service Account using the Client Credentials grant. The access token is obtained the first time it is needed. On subsequent REST service calls from automatic tasks, a new access token is obtained if the previous one is expired.

Info

The OpenID Connect client configured via the blueriq.security.openid-connect.client-id configuration property must be authorized to use the Client Credentials grant.

In the current version, the access token obtained via the Client Credentials grant must be a JWT and must be compatible with an ID token in terms of the username and role claims.

how to configure OpenID Connect with Multitenancy.

Enabling multi-tenancy

To use OpenID Connect, multi-tenancy needs to be enabled. Also a list of allowed tenants should be configured.

Code Block
titleapplication.properties
blueriq.multi-tenancy.enabled=true
blueriq.multi-tenancy.allowedTenants=blueriq,everest

HTTP request validation

When multi-tenancy is enabled, each HTTP request is validated as follows:

  • Check if the user is logged in using OpenID Connect → JWT token claims should contain the tenant claim.
  • If the user is not logged in, then the tenant header should be present and valid. The HTTP header is valid when its value is in the list of allowed tenants.
  • If the user is logged in, then the tenant header is not required. If it exists, then it needs to match the tenant claim value.

Tenant claim

The JWT token claim can be configured by changing property blueriq.security.jwt-claims.claim-mapping.TenantID. For example:

Code Block
titleapplication.properties
blueriq.security.jwt-claims.claim-mapping.TenantID=$.TenantID

Tenant header

The default HTTP header that is passed in the HTTP request "X-TENANT-ID", it can be configured by changing property blueriq.multi-tenancy.httpHeader. For example:

Code Block
titleapplication.properties
blueriq.multi-tenancy.httpHeader=X-TENANT-ID
Note
The openid connect identity provider must support grant_type=client_credentials for this to work.