Zum Hauptinhalt springen

Identity Provider

This page describes how the OIDC provider is configured in the controller. Generic information for Keycloak and its configuration can be found in the Keycloak section.

Configuration

In the past, configuration of OIDC and user search was done together within the keycloak section. Starting with controller version 0.21.0, this is deprecated, support will be removed in the future. It should be replaced with the separate oidc and user_search sections.

The section in the configuration file is called oidc.

FieldTypeRequiredDefault valueDescription
authoritystringyes-Base url for the OIDC authority. Will be used for frontend and controller unless overwritten by oidc.frontend.authority or oidc.controller.authority
frontendfrontend configurationyes-Configuration dedicated to the frontend
controllercontroller configurationyes-Configuration dedicated to the controller

Frontend configuration

FieldTypeRequiredDefault valueDescription
authoritystringnoFrom oidc.authorityOIDC authority base url for the frontend
client_idstringyes-Client id that will be used by the frontend when connecting to the oidc provider

Controller configuration

FieldTypeRequiredDefault valueDescription
authoritystringnoFrom oidc.authorityOIDC authority base url for the controller
client_idstringyes-Client id that will be used by the controller when connecting to the oidc provider
client_secretstringyes-Client secret that will be used by the controller when connecting to the oidc provider

Examples

Default Setup

[oidc]
authority = "https://localhost:8080/auth/realms/OPENTALK"

[oidc.frontend]
client_id = "Frontend"

[oidc.controller]
client_id = "Controller"
client_secret = "v3rys3cr3t"

OIDC and JWT

The following fields in the JWT returned by the OIDC provider are used by the OpenTalk Controller. These fields differ for authentication of normal users and services.

JWT fields for user login

FieldTypeRequiredDescription
expstringyesRFC 3339 timestamp of the token's expiration date
iatstringyesRFC 3339 timestamp of the token's issuing date
issstringyesURL of the OIDC provider
substringyesUnique identifier of the user
emailstringyesE-Mail address of the user
given_namestringyesThe given name (also known as first name) of the user
family_namestringyesThe family name (also know as last name) of the user
tenant_idstringif tenant assignment is "by_external_tenant_id"Contains the identifier of the user's tenant
tariff_idstringif tariffs are usedThe external id of the tariff. See tariffs for further details
tariff_statusstringif tariffs are usedThe external id of the tariff status. See tariffs for further details
x_grpstring[]noA list of groups which the user is part of
phone_numberstringnoThe phone number of the user
nicknamestringnoNickname of the user, typically used to prefill the display name of a meeting participant
picturestringnoURL to a user picture, will replace the gravatar url generation for that user if provided

Security considerations

For the picture field, the frontend will download the images found under the provided URL. Therefore it is important to only provide URLs that are guaranteed to not inject unwanted content, but rather have a policy which ensures that only valid images are served.

JWT fields for service login

FieldTypeRequiredDescription
expstringyesRFC 3339 timestamp of the token's expiration date
iatstringyesRFC 3339 timestamp of the token's issuing date
issstringyesURL of the OIDC provider
realm_accessRealmAccessyesAn object containing realm access information

The RealmAccess object contains these fields:

FieldTypeRequiredDescription
rolesstring[]yesA list of role identifiers that the service is allowed to provide

The list of known service roles is: