Merge pull request #24 from com-pas/develop

Develop -> Main

Author: Dennis Labordus

README.md

@@ -45,11 +45,12 @@ To start all configured services, go to the `docker` directory and run the follo
 This first command builds 2 containers (keycloak and reverse proxy) and next command starts all CoMPAS services at the same time.
 Now, the following services are available:
 
-- open-scd, available at [http://localhost/](http://localhost/). **Not fully working yet, can't communicate with Data Service yet.**
+- open-scd, available at [http://localhost/](http://localhost/).
+- logout,  available at [http://localhost/logout](http://localhost/logout).
 - scl-data-service, available at [http://localhost/compas-scl-data-service](http://localhost/compas-scl-data-service).
-- basex, available at [http://localhost:1984/](http://localhost:1984/)
 - cim-mapping - IEC 61850 mapping, available at [http://localhost/compas-cim-mapping/](http://localhost/compas-cim-mapping/).
-- keycloak, available at [http://localhost/auth/](http://localhost/auth/) or direclty if needed [http://localhost:8080/auth/](http://localhost:8080/auth/).
+- basex, available at [http://localhost:1984/](http://localhost:1984/)
+- keycloak, available at [http://localhost/auth/](http://localhost/auth/) or directly if needed [http://localhost:8089/auth/](http://localhost:8089/auth/).
     - Imports the demo configuration.
 - reverse-proxy, OpenResty instance that works as a reverse proxy so all services are available through a single port.
     - The JWT Access Token is added to the header for all Services, like the SCL Data Service.

docker/docker-compose.yml

@@ -17,35 +17,39 @@ services:
   keycloak:
     build: keycloak
     ports:
-      - "8080:8080"
+      - "8089:8080"
     environment:
       - KEYCLOAK_FRONTEND_URL=http://localhost/auth/
+      - PROXY_ADDRESS_FORWARDING=true
 
   scl-data-service:
-    image: "lfenergycompas/compas-scl-data-service:0.3.0"
+    image: "lfenergycompas/compas-scl-data-service:0.6.2"
     environment:
       - BASEX_HOST=basex
       - BASEX_PORT=1984
       - JWT_VERIFY_KEY=http://keycloak:8080/auth/realms/compas/protocol/openid-connect/certs
       - JWT_VERIFY_ISSUER=http://localhost/auth/realms/compas
       - JWT_VERIFY_CLIENT_ID=scl-data-service
       - JWT_GROUPS_PATH=resource_access/scl-data-service/roles
+      - USERINFO_NAME_CLAIMNAME=name
+      - USERINFO_WHO_CLAIMNAME=name
     depends_on:
       - basex
       - keycloak
 
   cim-mapping:
-    image: "lfenergycompas/compas-cim-mapping:0.2.0"
+    image: "lfenergycompas/compas-cim-mapping:0.6.0"
     environment:
       - JWT_VERIFY_KEY=http://keycloak:8080/auth/realms/compas/protocol/openid-connect/certs
       - JWT_VERIFY_ISSUER=http://localhost/auth/realms/compas
       - JWT_VERIFY_CLIENT_ID=cim-mapping
       - JWT_GROUPS_PATH=resource_access/cim-mapping/roles
+      - USERINFO_WHO_CLAIMNAME=name
     depends_on:
       - keycloak
 
   open-scd:
-    image: "lfenergycompas/compas-open-scd:v0.6.0-compas-3"
+    image: "lfenergycompas/compas-open-scd:v0.7.0-compas-4"
     depends_on:
       - scl-data-service
       - cim-mapping

docker/keycloak/keycloak_compas_realm.json

@@ -1,7 +1,7 @@
 {
   "id" : "compas",
   "realm" : "compas",
-  "notBefore" : 0,
+  "notBefore" : 1631530948,
   "defaultSignatureAlgorithm" : "RS256",
   "revokeRefreshToken" : false,
   "refreshTokenMaxReuse" : 0,
@@ -958,7 +958,8 @@
       "config" : {
         "included.client.audience" : "cim-mapping",
         "id.token.claim" : "false",
-        "access.token.claim" : "true"
+        "access.token.claim" : "true",
+        "userinfo.token.claim" : "false"
       }
     } ],
     "defaultClientScopes" : [ "web-origins", "roles", "profile", "email" ],
@@ -1001,6 +1002,7 @@
       "backchannel.logout.session.required" : "true",
       "client_credentials.use_refresh_token" : "false",
       "saml_force_name_id_format" : "false",
+      "require.pushed.authorization.requests" : "false",
       "saml.client.signature" : "false",
       "tls.client.certificate.bound.access.tokens" : "false",
       "saml.authnstatement" : "false",
@@ -1091,6 +1093,7 @@
       "backchannel.logout.session.required" : "true",
       "client_credentials.use_refresh_token" : "false",
       "saml_force_name_id_format" : "false",
+      "require.pushed.authorization.requests" : "false",
       "saml.client.signature" : "false",
       "tls.client.certificate.bound.access.tokens" : "false",
       "saml.authnstatement" : "false",
@@ -1630,7 +1633,7 @@
       "subType" : "authenticated",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper" ]
+        "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-full-name-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "saml-user-property-mapper" ]
       }
     }, {
       "id" : "1df6c9e4-319c-43c1-a0f8-e97a9741cd36",
@@ -1639,7 +1642,7 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "saml-user-property-mapper", "oidc-address-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper" ]
       }
     }, {
       "id" : "276e7a01-2481-494c-a009-81965ed751a3",
@@ -1693,6 +1696,12 @@
       "subComponents" : { },
       "config" : { }
     } ],
+    "org.keycloak.userprofile.UserProfileProvider" : [ {
+      "id" : "8e0ccee3-891c-4dfc-919c-0e323e3fc048",
+      "providerId" : "declarative-user-profile",
+      "subComponents" : { },
+      "config" : { }
+    } ],
     "org.keycloak.keys.KeyProvider" : [ {
       "id" : "49476e47-e217-44bf-8a49-18da0d28c330",
       "name" : "rsa-generated",
@@ -1729,7 +1738,7 @@
   "internationalizationEnabled" : false,
   "supportedLocales" : [ ],
   "authenticationFlows" : [ {
-    "id" : "0b70f6ce-2def-4002-9536-e30ef5b51109",
+    "id" : "47735bac-4f25-4640-95cc-7768e936100f",
     "alias" : "Account verification options",
     "description" : "Method with which to verity the existing account",
     "providerId" : "basic-flow",
@@ -1751,7 +1760,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "510f4a83-673e-43cb-8f1b-3f3dea901804",
+    "id" : "3474fd7f-5fdb-41d9-81e0-370d5864483b",
     "alias" : "Authentication Options",
     "description" : "Authentication options.",
     "providerId" : "basic-flow",
@@ -1780,7 +1789,7 @@
       "autheticatorFlow" : false
     } ]
   }, {
-    "id" : "f596697e-ae08-4371-a742-42dbab302b43",
+    "id" : "93be177f-4477-4edb-ade0-1026a6c57a6d",
     "alias" : "Browser - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -1802,7 +1811,7 @@
       "autheticatorFlow" : false
     } ]
   }, {
-    "id" : "e5bd8472-95b6-4182-bf71-48ac7d57ee9d",
+    "id" : "b2313c20-b215-47e5-952d-4e10a83b25fd",
     "alias" : "Direct Grant - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -1824,7 +1833,7 @@
       "autheticatorFlow" : false
     } ]
   }, {
-    "id" : "167776d0-db42-44ea-888a-fa4fca4cb6e1",
+    "id" : "55afb317-43e1-4a0e-8461-a16c328dca8c",
     "alias" : "First broker login - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -1846,7 +1855,7 @@
       "autheticatorFlow" : false
     } ]
   }, {
-    "id" : "d8f35e9f-8eb4-4e8c-ac80-e1f09568b9ad",
+    "id" : "145db225-ffaf-4bd6-8360-2a495520bd84",
     "alias" : "Handle Existing Account",
     "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
     "providerId" : "basic-flow",
@@ -1868,7 +1877,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "a1ea2aff-8cd8-4858-b88a-3cc3541fd202",
+    "id" : "ba40de9e-306c-485a-8687-5c86abf79fa2",
     "alias" : "Reset - Conditional OTP",
     "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
     "providerId" : "basic-flow",
@@ -1890,7 +1899,7 @@
       "autheticatorFlow" : false
     } ]
   }, {
-    "id" : "2c046f6c-1ebb-4413-bd0b-60e75af8a1d5",
+    "id" : "80d844c8-429e-49ea-8e08-4960bde67568",
     "alias" : "User creation or linking",
     "description" : "Flow for the existing/non-existing user alternatives",
     "providerId" : "basic-flow",
@@ -1913,7 +1922,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "9c8ba2e7-e552-4e08-914a-918dae66382f",
+    "id" : "a97f2d07-45a7-4445-b869-20795baf4dcb",
     "alias" : "Verify Existing Account by Re-authentication",
     "description" : "Reauthentication of existing account",
     "providerId" : "basic-flow",
@@ -1935,7 +1944,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "2c7d3895-0f00-4aae-acda-1fe3d1a460be",
+    "id" : "e8f6310f-8871-4161-9470-7eab44101e64",
     "alias" : "browser",
     "description" : "browser based authentication",
     "providerId" : "basic-flow",
@@ -1971,7 +1980,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "e3ad3625-fda3-43c6-a818-e5c70ef135f2",
+    "id" : "3a8bdb67-f2fc-472e-b5c1-2eb41f053dd0",
     "alias" : "clients",
     "description" : "Base authentication for clients",
     "providerId" : "client-flow",
@@ -2007,7 +2016,7 @@
       "autheticatorFlow" : false
     } ]
   }, {
-    "id" : "1ddd9c0e-d7b5-4784-9aac-6a034d8eee69",
+    "id" : "779ef763-3b57-465d-94de-559b65ccf58f",
     "alias" : "direct grant",
     "description" : "OpenID Connect Resource Owner Grant",
     "providerId" : "basic-flow",
@@ -2036,7 +2045,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "8836c38f-aef1-46fe-8369-606aca0f44b9",
+    "id" : "f45d8704-6179-491b-b70a-6e234fa3f532",
     "alias" : "docker auth",
     "description" : "Used by Docker clients to authenticate against the IDP",
     "providerId" : "basic-flow",
@@ -2051,7 +2060,7 @@
       "autheticatorFlow" : false
     } ]
   }, {
-    "id" : "547b29d8-2a30-4b68-bfe6-ee83edb9ff53",
+    "id" : "4c97b8eb-50bc-4be9-a3cd-7164502e4d25",
     "alias" : "first broker login",
     "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
     "providerId" : "basic-flow",
@@ -2074,7 +2083,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "94601b35-bc2b-4473-92a6-57c82211c679",
+    "id" : "1206b0d1-0126-47af-8574-88b6a182460c",
     "alias" : "forms",
     "description" : "Username, password, otp and other auth forms.",
     "providerId" : "basic-flow",
@@ -2096,7 +2105,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "58e72ae4-c436-4552-9b30-5e43dadda814",
+    "id" : "654f2651-edde-400e-a1f5-b86392802919",
     "alias" : "http challenge",
     "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes",
     "providerId" : "basic-flow",
@@ -2118,7 +2127,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "8c7edef9-f089-4b3d-a91c-0ca0361a50b6",
+    "id" : "ce53a107-0e6c-4b2a-b27d-6bc0ffbce21b",
     "alias" : "registration",
     "description" : "registration flow",
     "providerId" : "basic-flow",
@@ -2134,7 +2143,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "589ff3f9-1bea-40f2-9bf7-9b156a23ace9",
+    "id" : "6af6a8b4-d186-4363-aa9d-7f093815cce3",
     "alias" : "registration form",
     "description" : "registration form",
     "providerId" : "form-flow",
@@ -2170,7 +2179,7 @@
       "autheticatorFlow" : false
     } ]
   }, {
-    "id" : "a0387112-af87-4804-b019-b8e8e800622e",
+    "id" : "15f7d277-f0b3-48b9-a64b-48ae16663d87",
     "alias" : "reset credentials",
     "description" : "Reset credentials for a user if they forgot their password or something",
     "providerId" : "basic-flow",
@@ -2206,7 +2215,7 @@
       "autheticatorFlow" : true
     } ]
   }, {
-    "id" : "756273e1-58ef-41b3-8bd9-c21a7c065f17",
+    "id" : "fc0b0fee-985e-4885-a0ff-d7eb4d48a4cd",
     "alias" : "saml ecp",
     "description" : "SAML ECP Profile Authentication Flow",
     "providerId" : "basic-flow",
@@ -2222,13 +2231,13 @@
     } ]
   } ],
   "authenticatorConfig" : [ {
-    "id" : "d0a7a250-71d1-41df-9c91-c9007f9d8fad",
+    "id" : "a123d762-dbe5-408a-b2bd-09695596c0cc",
     "alias" : "create unique user config",
     "config" : {
       "require.password.update.after.registration" : "false"
     }
   }, {
-    "id" : "8978bf31-cd77-4947-9331-02c92b0d7751",
+    "id" : "717f4403-9133-441c-89c1-42d044a5b29a",
     "alias" : "review profile config",
     "config" : {
       "update.profile.on.first.login" : "missing"

docker/reverse-proxy/Dockerfile

@@ -5,9 +5,11 @@
 FROM openresty/openresty:alpine-fat
 
 RUN mkdir /var/log/nginx
+
 RUN apk add --no-cache openssl-dev
 RUN apk add --no-cache git
 RUN apk add --no-cache gcc
+
 RUN luarocks install lua-resty-openidc
 
 RUN mkdir -p /etc/nginx/include

docker/reverse-proxy/authenticate.include

@@ -1,6 +1,6 @@
 access_by_lua_block {
   local opts = {
-    redirect_uri_path = "/redirect_uri",
+    redirect_uri = "http://localhost/redirect_uri",
     discovery = "http://keycloak:8080/auth/realms/compas/.well-known/openid-configuration",
     client_id = "openscd",
     redirect_uri_scheme = "http",
@@ -12,7 +12,7 @@ access_by_lua_block {
   }
 
   -- call introspect for OAuth 2.0 Bearer Access Token validation
-  local res, err, _, session = require("resty.openidc").authenticate(opts)
+  local res, err = require("resty.openidc").authenticate(opts)
 
   if err then
     ngx.status = 403