Connecting an Identity Provider

enaio® 9.10 »

Identity providers such as Keycloak can be connected to enaio® gateway for authentication in enaio® webclient and enaio® webclient as a desktop application using Connect/OAuth2 via a reverse proxy, such as OpenResty.

The installation and configuration of OpenResty with Keycloak for this type of scenario are broadly described here.

Installing OpenResty

OpenResty can be integrated into a docker environment or installed directly in Windows.

OpenResty as a Docker Service

The installation takes place in the following steps:

  • Create a directory for the OpenResty configuration file.

    The path may not contain spaces. For example: C:\openresty

  • Execute the following docker commands via the command prompt:

    • Create the OpenResty container:

      docker create --name openresty -p 80:80
      -v C:\openresty:/etc/nginx/conf.d docker.yuuvis.org/library/openresty

      Both port entries must be identical and match the port for OpenResty in the openresty.conf file.

      For configuration, copy the modified openresty.conf file into the container.

    • Start the OpenResty container:

      docker start openresty

    • Check the container:

      docker container list -a

      The container must display the Up status.

OpenResty in Windows

The installation takes place in the following steps:

Configuring OpenResty

Configuration takes place via the openresty.conf file, which is available for download. The file must be modified and then copied into the corresponding directories: into the container for OpenResty as a docker service or into the \conf\ directory of the Windows installation.

In addition to placeholders, which must be replaced, the file contains other parameters that can be optionally modified or extended. Refer to the documentation of Nginx and OpenResty for more information.

Placeholders and parameters in the configuration file
Placeholders Function
listen ${port};

The port through which OpenResty accepts requests.

By default, OpenResty expects that port 80 is available, even if changed.

proxy_pass ${gateway‑url}; Root URL of enaio® gateway. All incoming requests from OpenResty are forwarded to this address.
${header-name}

Header name that must match the corresponding HTTP header configuration for enaio® gateway.

${discovery-url} The URL via which OpenResty accesses the identity provider’s configuration.
${client-id}

${client-secret}

Client ID and secret from the identity provider’s client configuration
${user-field}

User name parameter, the value of which is transmitted to enaio® gateway for login.

A user account with a unique name must be created in the enaio® user administration.

Example: preferred_username

The placeholder must be replaced at two places in the configuration file.

lua_shared_dict introspection 10m; Optional: time period in minutes for which bearer tokens remain in the cache for authentication.

Configuring enaio® gateway

enaio® gateway must be configured for authentication via HTTP Header.

Additionally, the enaio® gateway application-prod.yml configuration file must be extended in order to redirect the logout to OpenResty’s logout.

proxy:
defaultLogoutRedirect: '/logout'

enaio® gateway is installed with port 80 by default. If OpenResty is installed on the same host, as is recommended, then a free port must be configured for enaio® gateway. If OpenResty is running on another host, then logins – for example to enaio® webclient – must be made via this host.