Page History
This page describes REST service calls with OpenID Connect authentication, performed in automatic tasks.
An automatic task can be executed:
- in the foreground, for example when it immediately follows a manual task, incoming message node, etc.
- in the background, for example when it is triggered by a timer node or it is connected to the timer exit of another task
In both cases, the automatic task is executed by the automatic user. When a REST service call is made from the automatic task, and this REST service call is configured to use OpenID Connect authentication, the Runtime obtains an access token for the Runtime Service Account using the Client Credentials grant. The access token is obtained the first time it is needed. On subsequent REST service calls from automatic tasks, a new access token is obtained if the previous one is expired.
changes in HTTP request validation and how to configure OpenID Connect with Multitenancy.
HTTP request validation
When multitenancy is enabled, each HTTP request is validated as following:
- Check if user is logged in using OpenID Connect → JWT Token Claims should contain tenant claim
- If user is not logged in, then tenant header should be present and valid. HTTP header is valid when its value is in a list of allowed tenants
- If user is logged in, then tenant header is not necessary. If it exists, then it needs to match tenant claim
| Info |
|---|
tenant claim - JWT token claim that can be configured by changing property blueriq.security.jwt-claims.claim-mapping.TenantID=$.TenantID tenant header - HTTP header that is passed in HTTP request, can be configured by changing property blueriq.multi-tenancy.httpHeader=X-TENANT-ID allowed tenants - set of tenants that can be used in system, can be configured using property blueriq.multi-tenancy.allowedTenants=blueriq,everest |
Configuration OpenID Connect with Multitenancy
To switch into OpenID Connect configuration, following properties need to be added to application.properties
| Code Block |
|---|
blueriq.security.login-type=openid-connect
blueriq.security.auth-providers.openid-provider.type=openid-connect
blueriq.security.openid-connect.use-discovery=true
blueriq.security.openid-connect.token-issuer=http://${MULTITENANCY_HOST}:18034/realms/Blueriq
blueriq.security.openid-connect.client-id=blueriq-runtime
|
| Info |
The OpenID Connect client configured via the blueriq.security.openid-connect.client-id configuration property must be authorized to use the Client Credentials grant. |
In the current version, the access token obtained via the Client Credentials grant must be a JWT and must be compatible with an ID token in terms of the username and role claims.
-secret=very-secret
blueriq.security.openid-connect.scopes=openid
blueriq.security.openid-connect.roles-path=$.roles
blueriq.security.auth-providers-chain=openid-provider
blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://${MULTITENANCY_HOST}:18034/realms/Blueriq/protocol/openid-connect/logout
blueriq.security.jwt-claims.roles-path=$.roles
blueriq.security.jwt-claims.tenant-path=$.tenant |
Also, make sure that there are no existing properties that could override openid-connect configuration. Comment out / remove following:
| Code Block |
|---|
# blueriq.security.auth-providers.local01.type=in-memory
# blueriq.security.auth-providers.local01.users.location=users.properties
# blueriq.security.auth-providers-chain=local01 |
| Note |
| The openid connect identity provider must support grant_type=client_credentials for this to work. |
Overview
Content Tools