tiboun commented on a change in pull request #3277: [ZEPPELIN-2881] Fix OIDC logout URL: https://github.com/apache/zeppelin/pull/3277#discussion_r244870738
########## File path: docs/setup/security/shiro_authentication.md ########## @@ -247,6 +247,92 @@ knoxJwtRealm.principalMapping = principal.mapping authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter ``` +### OpenID Connect +OpenID Connect is a protocol used by many auth providers like google or facebook but also with some external tools like keycloak. Below you'll find a `conf/shiro.ini` related to `keycloak` integration. + +To enable this, make sure you've built zeppelin with oidc profile and then apply the following change in `conf/shiro.ini` under `[main]` section. + +You'll have to fill the different parameters below : + - CLIENT_ID: for instance zeppelin + - CLIENT_SECRET: for instance 4bde2ee4-80bb-4b72-9369-53940201d554. In order to get a secret, you'll need to define the client with `confidential` access-type. + - REALM: the realm defined in keycloak. By default, it's `master`. + - KEYCLOAK_BASE_URI: base uri of keycloak. For instance `http://localhost:8080/auth`. This attribute is then concataned with **"/realms/"+realm+"/.well-known/openid-configuration"** + - LOGOUT_URL: url to logout from keycloak. For instance `http://localhost:8080/auth/realms/master/protocol/openid-connect/logout` + - ZEPPELIN_CALLBACK_URL: url redirected to after successful login. For instance `http://localhost:8090/api/callback` + - LOGOUT_REDIRECT_URI: For instance go back to zeppelin. `http://localhost:8090`. + +``` +[main] +roleAdminAuthGenerator = org.pac4j.core.authorization.generator.FromAttributesAuthorizationGenerator +roleAdminAuthGenerator.roleAttributes = ROLE_ADMIN + +oidcConfig = org.pac4j.oidc.config.KeycloakOidcConfiguration +oidcConfig.clientId = <CLIENT_ID> +oidcConfig.secret = <CLIENT_SECRET> +oidcConfig.realm = <REALM> +oidcConfig.baseUri = <KEYCLOAK_BASE_URI> +oidcConfig.useNonce = true +oidcConfig.clientAuthenticationMethodAsString = client_secret_basic + +oidcConfig.logoutUrl = <LOGOUT_URL> + +keycloakOidcClient = org.pac4j.oidc.client.KeycloakOidcClient +keycloakOidcClient.configuration = $oidcConfig +keycloakOidcClient.authorizationGenerator = $roleAdminAuthGenerator + +clients = org.pac4j.core.client.Clients +clients.callbackUrl = <ZEPPELIN_CALLBACK_URL> +clients.clients = $keycloakOidcClient + +requireRoleAdmin = org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer +requireRoleAdmin.elements = ROLE_ADMIN Review comment: This comes from @andreaTP PR, I personnally tested only the login and logout mecanism so I didn't test this. AndraTP PR was ok, so I didn't dig anymore. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
