Motivation
- get rid of the insecure basic authentication of opendaylight for Restconf
- instead implement JsonWebToken(JWT)
Problems
- Opendaylight AAA project for aluminium-SR1 is only supporting authorization header starting with "Basic" and JWT is a Bearer token
- So we had to patch the org.opendaylight.aaa:aaa-shiro:0.12.1 bundle with
- some backported classes from org.apache.shiro:shiro-core:1.7 package
- two modifications on the Authenticator to Accept also Bearer tokens
- we realized that an entry in aaa-app-config.xml like
Code Block |
---|
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, roles["admin,provision"]</pair-value>
</urls> |
means that the user which wants to access this url pattern needs to have both roles, which does not really make sense. Therefor we also implemented a so called AnyRolesAuthenticationFilter which accepts the connection if one of the given roles matches.
OAuth Provider bundle
API
request | params | response | description |
---|---|---|---|
GET /oauth/providers | OAuthProvider array | list of configured identity providers | |
GET /oauth/redirect | code={}&state={} or session_state={} or token={} | TokenResponse | called by the 301 Response from the identity provider |
POST /oauth/login | username={}&password={} | TokenResponse |
Environment Vars
env | default value | description |
---|---|---|
TOKEN_SECRET | secret | key to sign the token |
TOKEN_ISSUER | ONAP SDNC | |
HOST_URL | null => autodetected | important for reverse proxy use case |
ODLUX_REDIRECT_URI | /odlux/index.html#/oauth?token= | OAuth redirect will be responded |
SUPPORT_ODLUSERS | true | login interface enabled for internal odl configured users |
Dataflow example
for Login with external Identity Provider (KeyCloak)
...