# Helm Chart for Authentication Application This component delivers: - Keycloak Realm creation and import - (Optionally) creation of AuthenticationPolicies for Ingress to enable OAuth Authentication and RoleBased access to Ingress APIs and UIs ## REALM Configuration settings - In the configuration section "realmSettings" multiple REALMs can be configured - Each REALM configuration has the following sections: - [General REALM settings](#general-realm-settings) - [CLIENT definitions](#client-definitions) - (optional) [CLIENT SCOPE definitions](#client-scope-definitions) - (optional) [Access control definitions](#access-control-definitions) - (optional) [GROUP definitions](#group-definitions) - (optional) [USER definitions](#user-definitions) - (optional) [IDENTITY PROVIDER definitions](#identity-provider-and-mapper-definitions) - (optional) [SMTP server definitions](#smtp-server-definitions) ### General REALM settings This sections sets the realm general attributes shown in Keycloak ```yaml realmSettings: - name: - unique ID for a realm (e.g. "ONAP") displayName: - (optional) Keycloak Display Name (e.g. "ONAP Realm") accessTokenLifespan: - (optional) Access Tolek Lifespan (default: 1900) registrationAllowed: - (optional) Enable/disable the registration page (default: false) resetPasswordAllowed: - (optional) Show a link on login page for user to click when they have forgotten their credentials (default: true) sslRequired: - (optional) Is HTTPS required? ('None'|'External'|'All requests' (default: "external") themes: - (optional) Keycloak Theme settings login: - (optional) Keycloak Theme for Login UI (e.g. "base") admin: - (optional) Keycloak Theme for Admin UI (e.g. "base") account: - (optional) Keycloak Theme for Account UI (e.g. "base") email: - (optional) Keycloak Theme for Email UI (e.g. "base") attributes: - (optional) frontendUrl: "" - (optional) External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/") ``` ### CLIENT definitions In this section each realm authentication client is defined e.g. portal-bff, oauth2-proxy, grafana - possible "attributes" settings (maybe more): - id.token.as.detached.signature: "false" - exclude.session.state.from.auth.response: "false" - tls.client.certificate.bound.access.tokens: "false" - saml.allow.ecp.flow: "false" - saml.assertion.signature: "false" - saml.force.post.binding: "false" - saml.multivalued.roles: "false" - saml.encrypt: "false" - saml.server.signature: "false" - saml.server.signature.keyinfo.ext: "false" - saml.artifact.binding: "false" - saml_force_name_id_format: "false" - saml.client.signature: "false" - saml.authnstatement: "false" - saml.onetimeuse.condition: "false" - oidc.ciba.grant.enabled: "false" - frontchannel.logout.session.required: "true" - backchannel.logout.session.required: "true" - backchannel.logout.revoke.offline.tokens: "false" - client_credentials.use_refresh_token: "false" - acr.loa.map: "{}" - require.pushed.authorization.requests: "false" - oauth2.device.authorization.grant.enabled: "false" - display.on.consent.screen: "false" - token.response.type.bearer.lower-case: "false" - use.refresh.tokens: "true" - post.logout.redirect.uris: '' ```yaml clients: oauth2_proxy: clientId: "" - client ID name: "" - (optional) client name secret: - (optional) client secret clientAuthenticatorType: - (optional) auth type (default: client-secret) protocol: - (optional) auth protocol (default: openid-connect) description: "" - (optional) client description baseUrl: "" - (optional) url subpath (e.g. /application) rootUrl: "" - (optional) root url adminUrl: "" - (optional) admin url bearerOnly: "" - (optional) bearerOnly (default: false) consentRequired: "" - (optional) consentRequired (default: false) standardFlowEnabled: "" - (optional) standardFlowEnabled (default: true) implicitFlowEnabled: "" - (optional) implicitFlowEnabled (default: false) directAccessGrantsEnabled: "" - (optional) directAccessGrantsEnabled (default: true) serviceAccountsEnabled: "" - (optional) serviceAccountsEnabled (default: false) frontchannelLogout: "" - (optional) frontend channel logout (default: true) surrogateAuthRequired: "" - (optional) surrogate Auth Required (default: false) authorizationServicesEnabled: "" - (optional) enable Authorization Services (RBAC) (default: false) publicClient: "" - (optional) public Client (default: false) attributes: - (optional) attributes settings (see code) post.logout.redirect.uris: '' - example protocolMappers: - (optional) protocol mappers - name: "Audience for Oauth2Proxy" - examples protocolMapper: "oidc-audience-mapper" config: included.client.audience: "oauth2-proxy-onap" id.token.claim: "false" access.token.claim: "true" included.custom.audience: "oauth2-proxy-onap" - name: "SDC-User" protocolMapper: "oidc-usermodel-attribute-mapper" config: multivalued: "false" userinfo.token.claim: "true" user.attribute: "sdc_user" id.token.claim: "true" access.token.claim: "true" claim.name: "sdc_user" jsonType.label: "String" additionalDefaultScopes: - "onap_roles" redirectUris: - "https://portal-$PARAM_BASE_URL/*" - "http://localhost/*" webOrigins: - "https://argocd-$PARAM_BASE_URL" defaultClientScopes: - (optional) definition of default client scopes - "web-origins" - if used, has to contain the full scope list - "profile" - "acr" - "email" - "roles" - "groups" optionalClientScopes: - (optional) definition of optional client scopes - ... - if used, has to contain the full scope list ``` #### Authorization settings within Client section (optional) Information about the Keycloak Authorization Services can be found under: To enable Authorization the setting shown above needs to be: - authorizationServicesEnabled: true ```yaml authorizationSettings: allowRemoteResourceManagement: "" - (optional) managed remotely by the resource server? (default: true) policyEnforcementMode: ""- (optional) dictates how policies are enforced (default: ENFORCING) decisionStrategy: "" - (optional) dictates how permissions are evaluated (default: UNANIMOUS) resources: - resources definitions - name: "" - unique name for this resource displayName: "" - (optional) user-friendly name for the resource type: "" - Type can be used to group different resource instances with the same type ownerManagedAccess: - (optional) access can be managed by the resource owner? (default: false) attributes: {} - (optional) The attributes associated wth the resource uris: - Set of URIs which are protected by resource - "/*" - ... scopes: - The scopes associated with this resource - name: "" - ... icon_uri: "" - (optional) A URI pointing to an icon. - ... policies: - policy definitions - name: "" - unique name for this policy description: "" - (optional) A description for this policy type: "" - Choose the policy type logic: "" - dictates how the policy decision should be made roles: - Specifies the client roles allowed by this policy - id: "" - points to an existing role required: - decide, whether role is required ... - ... permissions: - policy definitions - name: "" - unique name for this permission description: "" - (optional) A description for this permission type: "" - Choose the permission type decisionStrategy: "" - dictates how the policies associated with a given permission are evaluated resources: - Specifies that this permission must be applied to a specific resource instance - "" - points to an existing resource - ... scopes: - Specifies that this permission must be applied to one or more scopes - "" - points to an existing scope - ... applyPolicies: - Specifies all the policies that must be applied to the scopes defined by this permission - "" - points to an existing policy - ... - ... scopes: - scope definitions - name: "" - unique name for this scope iconUri: "" - (optional) A URI pointing to an icon. displayName: "" - (optional) user-friendly name for the resource - ... ``` ### CLIENT SCOPE definitions Here additional scopes besides the default scopes can be defined and set as defaul client scope default scopes: roles, groups, acr, profile, address, web-origin, phone, email, offline_access, role_list, microprofile-jwt ```yaml defaultClientScopes: - "onap_roles" additionalClientScopes: - name: onap_roles description: OpenID Connect scope for add user onap roles to the access token protocolMappers: - name: aud protocol: openid-connect protocolMapper: oidc-audience-mapper consentRequired: false config: included.client.audience: oauth2-proxy id.token.claim: 'false' access.token.claim: 'true' - name: client roles protocol: openid-connect protocolMapper: oidc-usermodel-client-role-mapper consentRequired: false config: multivalued: 'true' userinfo.token.claim: 'false' id.token.claim: 'true' access.token.claim: 'true' claim.name: onap_roles jsonType.label: String usermodel.clientRoleMapping.clientId: oauth2-proxy ``` ### Access control definitions In this section additional roles (assignableRoles) besides the default roles can be set. default roles: user, admin, offline_access, uma_authorization, default-roles- (optional) accessRoles can be defined. These access roles are used in the Ingress "Auhorization Policy" to restrict the access to certain services The access role is assigned to a realm client (e.g. oauth2_proxy) ```yaml accessControl: assignableRoles: - name: onap-operator-read description: "Allows to perform GET operations for all ONAP components" associatedAccessRoles: [ "dmaap-bc-api-read", ... ] accessRoles: "oauth2_proxy": - name: dmaap-bc-api-read methodsAllowed: ["GET"] servicePrefix: dmaap-bc-api ``` ### GROUP definitions ```yaml groups: - (optional) Group definitions - name: - Group name path: /path> - Group URL path roles: [ ,... ] - (optional) List of Realm roles ``` ### USER definitions ```yaml initialUsers: - (optional) List of initial users - username: - Name of the User firstName: - (optional) First Name lastName: - (optional) Last Name email: - (optional) Email Address emailVerified : - (optional)Email verified credentials: - (optional) credentials - type: password - (optional) initial password (: encrypted password, : used salt) secretData: "{\"value\":\"\",\"salt\":\"\"}" credentialData: "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" requiredActions: - (optional) action, the user has to execute - - e.g. "UPDATE_PASSWORD", "UPDATE_PROFILE",... attributes: - (optional) additional attributes sdc_user: - example attribute - "cs0008" realmRoles: - (optional) assigned realm roles - groups: - (optional) group membership - ``` ### Identity Provider and Mapper definitions ```yaml identityProviders: - name: "gitlab" displayName: "gitlab" config: userInfoUrl: "https://gitlab.devops.telekom.de/oauth/userinfo" validateSignature: "true" clientId: "ee4e0db734157e9cdad16733656ba285f2f813354aa7c590a8693e48ed156860" tokenUrl: "https://gitlab.devops.telekom.de/oauth/token" jwksUrl: "https://gitlab.devops.telekom.de/oauth/discovery/keys" issuer: "https://gitlab.devops.telekom.de" useJwksUrl: "true" authorizationUrl: "https://gitlab.devops.telekom.de/oauth/authorize" clientAuthMethod: "client_secret_post" syncMode: "IMPORT" clientSecret: "gloas-35267790bf6fb7c4b507aea11db46d80174cb8ef4192e77424803b595eef735e" defaultScope: "openid read_user email" identityProviderMappers: - name: "argo-admins" identityProviderAlias: "gitlab" identityProviderMapper: "oidc-advanced-group-idp-mapper" config: claims: "[{\"key\":\"groups_direct\",\"value\":\"dt-rc\"}]" syncMode: "FORCE" group: "/ArgoCDAdmins" - name: "ArgoCDRestricted" identityProviderAlias: "gitlab" identityProviderMapper: "oidc-advanced-group-idp-mapper" config: claims: "[{\"key\":\"groups_direct\",\"value\":\"\"}]" syncMode: "FORCE" group: "/ArgoCDRestricted" - name: "lastName " identityProviderAlias: "gitlab" identityProviderMapper: "oidc-user-attribute-idp-mapper" config: claim: "nickname" syncMode: "FORCE" user.attribute: "lastName" ``` ### SMTP Server definitions ```yaml smtpServer: password: "" starttls: "true" auth: "true" port: "587" host: "" from: "" fromDisplayName: "onapsupport" ssl: "false" user: "onapsupport" ``` ## Requirements authentication needs the following ONAP projects to work: - common - serviceAccount