04 - MariaDB, Basic Authn, OpenID
This example shows how to configure a directory identity source and a basic authentication in our identity provider. The test application (service provider) is a Javascript React application deployed in nginx.
We use docker compose to initialize and run all the components
You can view the example in GitHub
Running the example
You can start all the necessary components by running the following command:
docker-compose up
You will see the logs from all containers starting. After a few seconds, you can access both test application at:
You can use the following credentials to login: user1 / user1pwd
Tips
You can take a look at the sample React application source code in GitHub
Terraform Configuration
Identity Provider
The identity provider uses basic authentication, in our case passwords are hashed using SHA-256 and encoded in BASE64. We also enable OpenID Connect support.
resource "iamtf_idp" "idp-1" {
ida = iamtf_identity_appliance.myiam-04.name
name = "idp-1"
keystore {
resource = filebase64("./saml.p12")
password = "changeme"
}
authn_basic {
priority = 0
pwd_hash = "SHA-256"
pwd_encoding = "BASE64"
}
id_sources = [iamtf_idsource_db.sso-users.name]
oidc {
enabled = true
}
depends_on = [
iamtf_identity_appliance.myiam-04
]
}
Identity Source
In order for IAM.tf to be able to connect to the DB a JDBC driver must provided. In this example we use the MariaDB driver. You can download it from here. As part of the docker build process, we copy the driver to the jdbc drivers directory: /opt/atricore/iamtf/server/lib/jdbc/
Tips
This example also describes how to install and use a custom version of IAM.tf's identity source. You can take a look at the source code in GitHub
resource "iamtf_idsource_db" "sso-users" {
ida = iamtf_identity_appliance.myiam-04.name
description = "DB users"
name = "sso-users"
# Connection information
jdbc_driver = "org.mariadb.jdbc.Driver"
connectionurl = "jdbc:mariadb://db:3306/idm_db"
username = "josso"
password = "secret"
# SQL queries to retrieve user information from the DB
sql_username = "SELECT LOGIN AS USERNAME FROM JOSSO_USER WHERE LOGIN = ?"
sql_groups = "SELECT R.ROLE FROM JOSSO_ROLE R, JOSSO_USER_ROLE UR, JOSSO_USER U WHERE R.ROLE = UR.ROLE AND U.LOGIN = UR.LOGIN AND U.LOGIN = ?"
sql_credentials = "SELECT LOGIN AS USERID, PASSWORD FROM JOSSO_USER WHERE LOGIN = ?"
use_column_name_as_property_name = true
sql_user_attrs = "SELECT FIRST_NAME, LAST_NAME, PHONE, E_MAIL AS EMAIL FROM JOSSO_USER WHERE LOGIN = ?"
sql_relay_credential = "SELECT login FROM josso_user WHERE #?# = ?"
# connection pooling
connection_pool = false
# extension
extension {
fqcn = "org.atricore.idbus.examples.sso.dbsource.CustomIdSourceDB"
type = "INSTANCE"
property {
name = "label"
value = "CUST-DB-SOURCE"
}
}
depends_on = [
iamtf_identity_appliance.myiam-04
]
}
Test Application
In this case, the application is using the PKCE flow. We include most of the parameters supported by the OpenID Connect resource to showcase the available options.
// partner application #1
resource "iamtf_app_oidc" "partnerapp1" {
ida = iamtf_identity_appliance.myiam-04.name
name = "partnerapp1"
client_id = "m04-cli01"
client_secret = "changeme"
client_authn = "NONE" #PKCE
grant_types = ["AUTHORIZATION_CODE", "REFRESH_TOKEN"]
signature_alg = "HS256"
encryption_alg = "NONE"
redirect_uris = ["http://localhost:3000"]
response_types = ["CODE"]
response_modes = ["QUERY"]
// Application base location
idp {
name = iamtf_idp.idp-1.name
is_preferred = true
}
depends_on = [
iamtf_identity_appliance.myiam-04
]
}