ajaygk95 commented on a change in pull request #3277: [ZEPPELIN-2881] Fix OIDC logout URL: https://github.com/apache/zeppelin/pull/3277#discussion_r244729241
########## File path: docs/setup/security/shiro_authentication.md ########## @@ -247,6 +247,92 @@ knoxJwtRealm.principalMapping = principal.mapping authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter ``` +### OpenID Connect +OpenID Connect is a protocol used by many auth providers like google or facebook but also with some external tools like keycloak. Below you'll find a `conf/shiro.ini` related to `keycloak` integration. + +To enable this, make sure you've built zeppelin with oidc profile and then apply the following change in `conf/shiro.ini` under `[main]` section. + +You'll have to fill the different parameters below : + - CLIENT_ID: for instance zeppelin + - CLIENT_SECRET: for instance 4bde2ee4-80bb-4b72-9369-53940201d554. In order to get a secret, you'll need to define the client with `confidential` access-type. + - REALM: the realm defined in keycloak. By default, it's `master`. + - KEYCLOAK_BASE_URI: base uri of keycloak. For instance `http://localhost:8080/auth`. This attribute is then concataned with **"/realms/"+realm+"/.well-known/openid-configuration"** + - LOGOUT_URL: url to logout from keycloak. For instance `http://localhost:8080/auth/realms/master/protocol/openid-connect/logout` + - ZEPPELIN_CALLBACK_URL: url redirected to after successful login. For instance `http://localhost:8090/api/callback` + - LOGOUT_REDIRECT_URI: For instance go back to zeppelin. `http://localhost:8090`. + +``` +[main] +roleAdminAuthGenerator = org.pac4j.core.authorization.generator.FromAttributesAuthorizationGenerator +roleAdminAuthGenerator.roleAttributes = ROLE_ADMIN + +oidcConfig = org.pac4j.oidc.config.KeycloakOidcConfiguration +oidcConfig.clientId = <CLIENT_ID> +oidcConfig.secret = <CLIENT_SECRET> +oidcConfig.realm = <REALM> +oidcConfig.baseUri = <KEYCLOAK_BASE_URI> +oidcConfig.useNonce = true +oidcConfig.clientAuthenticationMethodAsString = client_secret_basic + +oidcConfig.logoutUrl = <LOGOUT_URL> + +keycloakOidcClient = org.pac4j.oidc.client.KeycloakOidcClient +keycloakOidcClient.configuration = $oidcConfig +keycloakOidcClient.authorizationGenerator = $roleAdminAuthGenerator + +clients = org.pac4j.core.client.Clients +clients.callbackUrl = <ZEPPELIN_CALLBACK_URL> +clients.clients = $keycloakOidcClient + +requireRoleAdmin = org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer +requireRoleAdmin.elements = ROLE_ADMIN Review comment: Does this ROLE_ADMIN needs to be configured in keycloak, I think it is related to role based authorization, can you please put some information related to role based authorization in the document. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
