Authentication & Authorization

Authentication & Authorization

The DXC Assure Reinsurance Desktop Launcher components are secured using OAuth2 authorization flow and role based access. There are mainly two type of roles:

  • admin role (a read-write role, can perform modify operations like create, delete and update the environment along with list environments)
  • user role (a read only role, can perform only list environments)

The Desktop Launcher is tested with Keycloak an open-source OAuth2 provider. However it is compatible with any OAuth2 provider.

Below are instructions to setup the OAuth2 flow using Keycloak. For other OAuth2 provider please refer their official documentation.

Creating realm #

Login into the Keycloak UI using Keyclock admin credentials. Create a realm named sics if not created already using Create Realm option as shown below.

create_realm.png

Creating client #

Create a client for desktop launcher application inside the sics realm by navigating to Clients and using Create Client option as shown below

Note: The client ID is of user choice, by default the desktop launcher components uses sics-desktop-launcher, this can be configurable in components which will be found in next sections.

General client configuration #

  • The client type should be default as OpenID Connect

  • Provide the client ID value

  • Optionally set client name and description

create_client_general.png

Click on Next to select oauth2 config.

OAuth2 configuration #

  • Choose the default settings , ensure Standard authentication flow should be selected which is an OpenID Connect redirect based authentication with authorization code.

create_client_authconfig.png Once done click on Save to create the client.

Create client roles #

  • Open the client and navigate to Roles section to create roles for the client as shown below.

client_roles.png

  • It is mandatory to have role name as admin for admin user and user for normal user.

Enable access settings #

  • Go to client settings and navigate to Access settings.

  • Add redirect uri one for the Admin UI callback and one for Environment API.

  • For Admin Web UX redirect path its mandatory to have /callback at the end.

The below screenshot shows a sample where both the API server and Admin Web UX are running on localhost.

create_client_access.png

Enable Scope for roles #

  • Navigate to Client scope tab and click on Add Client scope. This will open add client scope popup window.

  • Search for scope with names roles and choose role type default to add to client as shown below.

client_scope.png

Create realm users and assign required roles #

  • Create the users on realm level, who need access of Admin Web UX and Desktop Launching component as shown below.

create_user.png

  • To assign the roles to user, select the user and navigate to Role mapping tab and click on Assign role. This will open Assign Role popup window as shown below.

assign_role.png

  • In Assign Role popup window filter the roles by client and assign the appropreate role as shown below.

assign_role_2.png

  • It is recommended to assign the role admin to a system admin user, who will be responsible for managing the environment.

  • Assign the role user to the users who will be responsible to launch the Desktop Launching component to launch the Assure Reinsurnace Desktop App on their local system.