Authorization

Access to web resources can be restricted using bearer tokensopen in new window. To validate and evaluate such tokens, an identity provider (type OIDC, USER_INFO or JWT) has to be defined in the configuration. Currently only a single identity provider is supported, additional ones are ignored.

An additional authorization layer may be enabled using a Policy Decision Pointopen in new window. To do that, a provider with type XACML_JSON has to be defined in the configuration. Currently only a single policy decision provider is supported, additional ones are ignored.

Provider types

OIDC: identity provider, see OpenID Connect
USER_INFO: identity provider, see User info endpoint
JWT: identity provider, see JWT signing key
XACML_JSON: policy decision provider, see XACML JSON

Configuration

These are the configuration options for key auth in cfg.yml.

Name	Default	Description	Type	Since
`providers`	`{}`	A map with provider definitions. Keys are user-defined ids used for referencing, values are provider definitions with a `type`. See above for supported types.	object	v3.5

OpenID Connect

With OpenID Connectopen in new window, the signed JSON Web Token is validated using the certificates provided by the configuration endpoint and the claims are extracted directly from the token.

A common open source implementation is Keycloakopen in new window.


auth:
  providers:
    oidc-ldproxy-integrated:
      type: OIDC
      endpoint: https://my-keycloak/realms/ldproxy/.well-known/openid-configuration
      login:
        clientId: ldproxy-integrated
      claims:
        userName: preferred_username

Name	Default	Description	Type	Since
`type`		Always `OIDC`.	string	v3.5
`claims`	`see below`	Mapping of token claims to ldproxy claims, see Claims Mapping.	object	v3.5
`login`	`null`	Login settings, see Login.	object	v3.5
`endpoint`		The OpenID Connect configuration endpoint, a URL ending with `.well-known/openid-configuration`.	string	v3.5

User info endpoint

An endpoint that is responsible for validating a token and returning the required claims.


auth:
  providers:
    userinfo-custom:
      type: USER_INFO
      endpoint: https://my-userinfo-endpoint?token={token}
      claims:
        userName: name

Name	Default	Description	Type	Since
`type`		Always `USER_INFO`.	string	v3.5
`claims`	`see below`	Mapping of token claims to ldproxy claims, see Claims Mapping.	object	v3.5
`endpoint`		A URL template, `{token}` is replaced with the token.	string	v3.5

JWT signing key

A signing key is used to validate JSON Web Tokens and the claims are extracted directly from the token.


auth:
  providers:
    jwt-custom:
      type: JWT
      signingKey: 'nurrK3JeUC3ccqs5CESFzgjCsCj3omS+PxDvMeSngqM='
      claims:
        userName: user

Name	Default	Description	Type	Since
`type`		Always `JWT`.	string	v3.5
`claims`	`see below`	Mapping of token claims to ldproxy claims, see Claims Mapping.	object	v3.5
`signingKey`		Signing key for JSON Web Tokens.	string	v3.5

Claims Mapping

This defines how ldproxy can extract required information from a token. The values need to match the claims in the token. Nested JSON objects are supported, the values can be a path like foo.bar.

Name	Default	Description	Type	Since
`userName`	`sub`	The claim containing the user name.	string	v3.5
`permissions`	`roles`	The claim containing the user permissions.	string	v3.5
`audience`	`aud`	The claim containing the audience.	string	v3.5
`scopes`	`scope`	The claim containing the scopes.	string	v3.5

This allows API clients that are integrated in ldproxy to automatically redirect to the login form of the identity provider.

Name	Default	Description	Type	Since
`clientId`		A client id that is registered with the identity provider. The corresponding client has to support Authorization Code Flowopen in new window.	string	v3.5
`clientSecret`	`null`	Optional client secret for the given client id.	string	v3.5

XACML JSON

Policy Decision Points implementing XACML 3.0open in new window, XACML REST 1.1open in new window and XACML JSON 1.1open in new window or XACML JSON 1.0open in new window are supported.

A common open source implementation is AuthzForce Server (Community Edition)open in new window.


auth:
  providers:
    policies:
      type: XACML_JSON
      endpoint: https://my-authzforce/policies/domains/ldproxy/pdp
      version: 1.0

Name	Default	Description	Type	Since
`type`		Always `XACML_JSON`.	string	v3.5
`endpoint`		The Policy Decision Point.	string	v3.5
`version`	`1.1`	XACML JSON version, either `1.1` or `1.0`.	string	v3.5
`mediaType`	`application/xacml+json;charset=UTF-8`	Media type for XACML JSON used by the PDP.	string	v3.5
`geoXacmlVersion`	`NONE`	Optional support for GeoXACML 3.0open in new window or GeoXACML 1.0open in new window. If unset or `NONE`, geometries will be sent with type `string` in XACML requests, if `3.0` or `1.0` the corresponding GeoXACML type will be used.	string	v3.5

# Authorization

# OpenID Connect

# User info endpoint

# JWT signing key

# Claims Mapping

# Login

# XACML JSON