Motivation
- get rid of the insecure basic authentication of opendaylight for Restconf
- instead implement JsonWebToken(JWT)
Problems
- Opendaylight AAA project for aluminium-SR1 is only supporting authorization header starting with "Basic" and JWT is a Bearer token
- So we had to patch the org.opendaylight.aaa:aaa-shiro:0.12.1 bundle with
- some backported classes from org.apache.shiro:shiro-core:1.7 package
- two modifications on the Authenticator to Accept also Bearer tokens
- we realized that an entry in aaa-app-config.xml like
<urls>
<pair-key>/**</pair-key>
<pair-value>authcBasic, roles["admin,provision"]</pair-value>
</urls>
means that the user which wants to access this url pattern needs to have both roles, which does not really make sense. Therefor we also implemented a so called AnyRolesAuthenticationFilter which accepts the connection if one of the given roles matches.
OAuth Provider bundle
API
| request | params | response | description |
|---|---|---|---|
| GET /oauth/providers | OAuthProvider array | list of configured identity providers | |
| GET /oauth/redirect | code={}&state={} or session_state={} or token={} | TokenResponse | called by the 301 Response from the identity provider |
| POST /oauth/login | username={}&password={} | TokenResponse |
Environment Vars
| env | default value | description |
|---|---|---|
| TOKEN_SECRET | secret | key to sign the token |
| TOKEN_ISSUER | ONAP SDNC | |
| HOST_URL | null => autodetected | important for reverse proxy use case |
| ODLUX_REDIRECT_URI | /odlux/index.html#/oauth?token= | OAuth redirect will be responded |
| SUPPORT_ODLUSERS | true | login interface enabled for internal odl configured users |
Dataflow example
for Login with external Identity Provider (KeyCloak)
2:
[{
"id":"keycloak",
"title":"OSNL Keycloak Provider",
"loginUrl":"http://10.20.11.160:8080/auth/realms/onap/protocol/openid-connect/auth?client_id=odlux.app&response_type=code&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A3100%2Foauth%2Fredirect%2Fkeycloak"
}]