...

• get rid of the insecure basic authentication of opendaylight for Restconf
• instead implement JsonWebToken(JWT) authorization
  • JWT is stateless because its signed
  • so roles can be put inside of the token and the token only has to be verified (checked signature) to get the roles of the user)

Problems

• Opendaylight AAA project for aluminium-SR1 is only supporting authorization header starting with "Basic" and JWT is a Bearer token
• So we had to patch the org.opendaylight.aaa:aaa-shiro:0.12.1 bundle with
  • some backported classes from org.apache.shiro:shiro-core:1.7 package
  • two modifications on the Authenticator to Accept also Bearer tokens
• we realized that an entry in aaa-app-config.xml like

...

where /real_access/roles are the important ones for us which were configured in the keycloak backend. 
Hint: offline_access and uma_authorization are built-in keycloak roles. These ones are filtered by oauth-provider bundle. So delivered role in this case is only provision.

The Opendaylight Roles access problem

As described on top we found out that an entry in aaa-app-config.xml like

    <urls>
        <pair-key>/**</pair-key>
        <pair-value>authcBasic, roles["admin,provision"]</pair-value>
    </urls>

results in a restriction for the configured url that the user has to be in both rules. That's why we implement a new Filter AnyRoleHttpAuthenticationFilter. That means if you enable it for a url you just have to be in at least one of this groups to get access.

    <main>
        <pair-key>anyroles</pair-key>
        <pair-value>org.opendaylight.aaa.shiro.filters.AnyRoleHttpAuthenticationFilter</pair-value>
    </main>

So usage changes to: 

    <urls>
        <pair-key>/**</pair-key>
        <pair-value>authcBasic, anyroles["admin,provision"]</pair-value>
    </urls>