Integrating an Identity Provider

yuuvis® RAD 8.x »

For authentication purposes, identity providers like Keycloak can be integrated into yuuvis® RAD gateway using OpenID Connect/OAuth2 by way of a reverse proxy such as OpenResty.

The basic steps required to install and configure Keycloak for a scenario like the one shown above are described here.

Installing OpenResty

OpenResty can be integrated into a Docker environment as a service or installed directly in Windows.

OpenResty as a Docker Service

Steps to install the service:

  • Create a directory for the OpenResty configuration file.

    The path may not contain any spaces. Example: C:\openresty

  • Run the following Docker commands via the command prompt:

    • Create OpenResty container:

      docker create --name openresty -p 80:80
      -v C:\openresty:/etc/nginx/conf.d docker.yuuvis.org/library/openresty

      The port you enter must be the same in both cases and match the port for OpenResty from the openresty.conf file.

      Copy the modified openresty.conf file for the configuration in the container.

    • Start OpenResty container:

      docker start openresty

    • Check container:

      docker container list -a

      The container must have the status Up.

Running OpenResty in Windows

Steps to install OpenResty:

Configuring OpenResty

OpenResty is configured via the openresty.conf file which is available for download. Changes must be made to the file which then needs to be saved in the corresponding directory, either in the container for OpenResty as a Docker service or in the \conf\ directory of the Windows installation.

Aside from placeholders that need to be replaced, the file also contains additional parameters that can optionally be changed or extended. For more information please refer to the Nginx and OpenResty documentation.

Placeholders and Parameters in the Configuration File
Placeholders Function
listen ${port};

Port used by OpenResty to import calls.

By default, OpenResty expects port 80 to be available when changes are made.
proxy_pass ${gateway‑url}; Root URL of yuuvis® RAD gateway. All incoming calls from OpenResty are forwarded to this address.
${header-name}

Header name according to the HTTP header configuration for yuuvis® RAD gateway.
${discovery-url} URL used by OpenResty to access the configuration of the identity provider.
${client-id}

${client-secret}

Client ID and secret from the client configuration of the identity provider.
${user-field}

Parameter of the user name whose value is transferred for purposes of logging in on yuuvis® RAD gateway.

A user account with the corresponding name must be created in the yuuvis® RAD user administration.

Example: preferred_username

The placeholder must be replaced at two places in the configuration file.
lua_shared_dict introspection 10m; Optional: Time period in minutes that the bearer tokens for authentication remain in the cache.

Configuring yuuvis® RAD gateway

yuuvis® RAD gateway must be configured for authentication for each HTTP header.

To do this, you will need to add the following line to the gateway-prod.yml configuration file:

authentication.filter.header.name: 'X-User'

The following entries need to be made in the gateway-prod.yml configuration file:

  routing.logoutSuccessRedirect: '/restylogout'
  authentication.filter.oauth2: true

The following entry needs to be made in the gateway-prod.yml configuration file:

  server.forward-headers-strategy: NATIVE

 

 

The following setting in the application-prod.yml configuration file from the \config directory of yuuvis® RAD service-manager is also required:

  server.max-http-header-size: 1MB

Configuration for yuuvis® RAD agent

If yuuvis® RAD agent is used in environments with Identity Provider and OpenID Connect/OAuth2, installation requires that you make a corresponding entry in the connections.json configuration file and set up an additional configuration file that provides connection data to the Identity Provider.