Configuration Guide

The Provisioning Application is configured via spring boot profiles. Default configuration properties are definded in application.properties

Authentication Configuration

There are to separate authentication options to authenticated a user for the provisioning app.

  • CROWD (default)

  • OAUTH2

Note that the current OAUTH2 implementation is only used for authentication the user to the provisioning app. To authentication that is used for the REST - API calls of Atlassian Crowd, Jira, Confluence, Bitbucket and Rundeck is done eighter via the logged in uses credentials (user name and password) or via the technical users, that are configured in the used spring boot profile.

Authentication Crowd Configuration

application.properties
provision.auth.provider=crowd (1)
spring.profiles.active=crowd (2)
1 configures crowd authentication provider
2 include crowd profile per default.

The crowd specific configuration is done in the included profile crowd, see property documentation inside the profile file application-crowd.properties. The provided example configuration is appropriate for a locally installed OpenDevStack environment.

Authentication OAUTH2 Configuration

A default oauth2 configuration is given in spring boot profile application-oauth2.properties. The provided example configuration is appropriate for a locally installed OpenDevStack environment, when the idmanager vagrant box is used.

application-oauth2.properties
provision.auth.provider=oauth2 (1)

idmanager.url=http://192.168.56.32:8080 (2)
idmanager.realm=provisioning-app (3)

oauth2.user.roles.jsonpointerexpression=/claims/roles (4)

(5)
spring.security.oauth2.client.registration.keycloak.client-id=ods-provisioning-app
spring.security.oauth2.client.registration.keycloak.client-secret=put-your-secret-here
spring.security.oauth2.client.registration.keycloak.clientName=ods-provisioning-app
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.keycloak.redirectUri={baseUrl}/login/oauth2/code/{registrationId}
spring.security.oauth2.client.registration.keycloak.scope=openid

(6)
spring.security.oauth2.client.provider.keycloak.authorization-uri=${idmanager.url}/auth/realms/${idmanager.realm}-app/protocol/openid-connect/auth
spring.security.oauth2.client.provider.keycloak.token-uri=${idmanager.url}/auth/realms/${idmanager.realm}/protocol/openid-connect/token
spring.security.oauth2.client.provider.keycloak.user-info-uri=${idmanager.url}/auth/realms/${idmanager.realm}/protocol/openid-connect/userinfo
spring.security.oauth2.client.provider.keycloak.jwk-set-uri=${idmanager.url}/auth/realms/${idmanager.realm}/protocol/openid-connect/certs
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username
1 configures oauth2 authentication provider
2 URL to idmanager. The value defaults to opendevstack idmanager box with keycloak installation
3 Name of realm that is used
4 The application reads the user roles from the claim that is inside the oauth2 ID-Token. The property oauth2.user.roles.jsonpointerexpression is a JsonPointer - Expression that defines a path to the roles that are extracted from the id token. Details regarding pointer expression can be found at Jackson-core JsonPointer Documentation
5 Defines the OAUTH2 client registration properties, in particular the client name and client secret. See OAUTH2 Spring Boot 2.x Property Mappings for details.
6 Defines the OAUTH2 client.provider properties. These properties correspond to the well-known OAUTH2-URIs. In case of keycloak, this URIs can be read out using the .well-known/openid-configuration-link

Authentication to third party apps via technical users

The rest api calles use HTTP basic access authentication to communicate with Jira, Confluence, Bitbucket and Rundeck. The used credentials are read from a pair of properties. For Example, rundeck.admin_password and rundeck.admin_user properties are used for Rundeck, confluence.admin_user and confluence.admin_password are used for confluence, etc.

application-oauth2.properties
# configure technical user for rundeck. Do not authenticate via oauth2, since not implemented.
rundeck.admin_password=rundeck_admin
rundeck.admin_user=rundeck_admin

# configure technical user for bitbucket. Do not authenticate via oauth2, since not implemented.
bitbucket.admin_password=bitbucket_admin
bitbucket.admin_user=bitbucket_admin

# configure technical user for confluence. Do not authenticate via oauth2, since not implemented.
confluence.admin_password=confluence_admin
confluence.admin_user=confluence_admin

# configure technical user for jira. Do not authenticate via oauth2, since not implemented.
jira.admin_password=jira_admin
jira.admin_user=jira_admin
Note: if the pair of properties is not defined for a third party tool, the logged in user’s credentials are used to authenticate against the application. The credentials are read by caling the method getUserName and getUserPassword from IODSAuthnzAdapter]. See also implementation of org.opendevstack.provision.services.BaseServiceAdapter#authenticatedCall()