7.3.3. Authentication

Important

The Nubus SCIM Server is in an early state with limited configuration capability. For detailed limitations, see Limitations.

The Nubus SCIM Server requires an OpenID Connect token. This page describes the requirements for generating a token that the Nubus SCIM Server accepts, how to configure the server, and how to test the authentication. If you already use an SCIM client, then you most likely already have an OpenID Connect client configured, If not, you can find the necessary configuration steps for an OpenID Connect client in Keycloak here.

• Required service components

• Configuration

• OpenID Connect client

• Example

The Nubus SCIM Server has the following requirements to the token:

1. OpenID Connect provider

   In Nubus for Kubernetes, the identity provider typically is Keycloak. The token must …

   • Provide an Identity Provider well-known endpoint.

   • Support JSON Web Token (JWT) signing algorithms.

   • Include required claims in issued tokens.

2. JWT token validation

   • The Nubus SCIM Server validates tokens against JWKS (JSON Web Key Set) from the OpenID Connect provider.

   • The Nubus SCIM Server requires the following claims:

     • azp for the authorized party or client ID

     • aud for the audience

     • exp for the expiration

Note

The Nubus SCIM Server uses the azp and aud claim of the JWT token for authorization. You can configure the allowed values that the Nubus SCIM Server only accepts when they match.

7.3.3.1. Required service components

To deploy the Nubus SCIM Server with authentication, you need the following service components:

OpenID Connect client

• OpenID Connect client registered with the identity provider.

• Must support client credentials grant type.

• Client ID must match the azp claim in issued tokens.

• Must set a correct aud claim in the issued tokens.

Nubus SCIM Server

• Configure valid client ID, see Configuration.

• Configure valid audience, see Configuration.

7.3.3.2. Configuration

The Nubus SCIM Server uses OpenID Connect tokens for authentication. The identity provider and the token claim need a customized configuration. This section describes the necessary steps. If you are using the Nubus Keycloak please refer to OpenID Connect client how to add a properly configured client.

Warning

Recommendation: keep the authentication activated for security reasons.

1. To configure the token claims for validation and authentication, add the following keys to your custom_values.yaml values file. Those are the values used in your OpenID Connect client configuration Listing 7.9 shows an example.

   • nubusScimServer.config.auth.enabled

   • nubusScimServer.config.auth.allowedAudience

   • nubusScimServer.config.auth.allowedClientId

   Listing 7.9 Configure token claims for validation and authentication in Nubus SCIM Server

   nubusScimServer:
       config:
           auth:
             enabled: true
             allowedAudience: 'scim-api-access'
             allowedClientId: 'scim-client'
   

2. To configure the identity provider for token validation, add the following keys in your custom_values.yaml values file. Listing 7.10 shows an example.

   • nubusScimServer.keycloak.connection.url

   • nubusScimServer.keycloak.connection.realm

   Listing 7.10 Configure the IDP for the Nubus SCIM Server

   nubusScimServer:
       keycloak:
           connection:
               url: "https://id.example.com"
               realm: "nubus"
   

3. To apply the configuration, follow the steps in Apply configuration.

7.3.3.3. OpenID Connect client

You need to create an OpenID Connect client in Keycloak. If you have already a client, you need to ensure that it meets the requirements in Required service components.

1. Sign in to the Keycloak Admin Console by following the steps in Keycloak Admin Console.

2. Select the appropriate realm. If you use the default Nubus configuration, the realm is nubus.

3. To create a client, click the Create client button in the Clients section.

4. Set a proper Client ID, such as scim-client.

5. Activate the Service accounts roles in the Capability config section that enable the client credentials grant type. This may also require activating the Client authentication.

6. Save the client.

7. In the client details, select the Client scopes tab.

8. To add a mapping, click the scim-client-dedicated assigned client scope.

9. Click Configure a new mapper.

10. Select Audience from the list.

11. Give the mapper a meaningful name, such as scim-audience-mapper.

12. To add an audience claim, set a value for Included Custom Audience, such as scim-api-usage.

13. Save the mapper.

7.3.3.4. Example

To use the Nubus SCIM Server, you need to authenticate using OpenID Connect. Here’s an example of obtaining a token and using it.

1. Store the script in Listing 7.11 in the test-auth.sh file.

2. Run test-auth.sh with parameters matching your environment, as shown in Listing 7.12.

Listing 7.11 test-auth.sh: Obtain a token from the identity provider, request the Nubus SCIM Server

#!/bin/bash

keycloak_base="$1"
scim_base="$2"
client_id="$3"
client_secret="$4"

# Obtain a token from Keycloak
echo "Getting access token"
token="$(curl -s -X POST \
    -d "client_id=${client_id}" \
    -d "client_secret=${client_secret}" \
    -d "grant_type=client_credentials" \
    ${keycloak_base}/protocol/openid-connect/token | jq -r .access_token)"

# Use the token to access the Nubus SCIM Server
echo "Getting all SCIM ressources"
curl -s \
    -H "Authorization: Bearer ${token}" \
    ${scim_base}/scim/v2/ | jq

Listing 7.12 Use test-auth.sh to test authentication

$ chmod u+x test-auth.sh
$ ./test-auth.sh \
    "https://keycloak.example.com/realms/nubus/" \
    "https://scim.example.test" \
    "scim-client" \
    "your_client_secret"