Authentication onboarding

You can onboard workloads to Identity and Access Management (IAM) either during or post installation of IBM Cloud Private.

Onboarding is the configuration of workloads in IBM Cloud Private IAM. You can configure your workloads to obtain the authentication and authorization service requirements. As part of this process, the workloads have to make themselves be known to IAM as a service by registering themselves with the authentication and the authorization services.

1. Obtain the OAUTH secret:

   The OpenID Connect (OIDC) Client Registration process requires access to a secret that is in the kube-system namespace. You can view the OAUTH2_CLIENT_REGISTRATION_SECRET from the Kubernetes secret platform-oidc-credentials. The following methods are available for obtaining the OAuth secret for registration:

   • Getting the OAuth secret (method 1)
   • Getting the OAuth secret (method 2)

2. Construct the client registration payload. Use the content from the platform-oidc-regisration.json file. Run these commands to get the content of the platform-oidc-registration.json file:

   1. Install kubectl. For more information, see Installing the Kubernetes CLI (kubectl).

   2. Run the following command to get the content for platform-oidc-registration:

      kubectl get cm registration-json -n kube-system -o yaml > platform-oidc-registration.yaml
      

      Open the file:

      cat platform-oidc-registration.yaml
      

      Following is a sample content:

      apiVersion: v1
      data:
        platform-oidc-registration.json: |
          {
          "token_endpoint_auth_method":"client_secret_basic",
          "client_id": "<WLP_CLIENT_ID>",
          "client_secret": "<WLP_CLIENT_SECRET>",
          "scope":"openid profile email",
          "grant_types":[
             "authorization_code",
             "client_credentials",
             "password",
             "implicit",
             "refresh_token",
             "urn:ietf:params:oauth:grant-type:jwt-bearer"
          ],
          "response_types":[
             "code",
             "token",
             "id_token token"
          ],
          "application_type":"web",
          "subject_type":"public",
          "post_logout_redirect_uris":[
             "https://<ICP_PROXY_IP>:<PORT_WHERE_SERVICE_RUNS>"   ],
          "preauthorized_scope":"openid profile email general",
          "introspect_tokens":true,
          "trusted_uri_prefixes":[
             "https://<ICP_ENDPOINT>:<port>", "https://<ICP_PROXY_IP>"    ],
          "redirect_uris":["https://<ICP_PROXY_IP>:<PORT_WHERE_SERVICE_RUNS>/auth/liberty/callback"]
          }
      kind: ConfigMap
      metadata:
        creationTimestamp: "2019-05-09T07:59:55Z"
        name: registration-json
        namespace: kube-system
        resourceVersion: "1540"
        selfLink: /api/v1/namespaces/kube-system/configmaps/registration-json
        uid: <uid>
      

   3. Open the platform-oidc-registration.yaml file.

   4. Copy the sample registration JSON content from the file under the line platform-oidc-registration.json. From the sample content, the following JSON content is copied:

      {
      "token_endpoint_auth_method":"client_secret_basic",
      "client_id": "<WLP_CLIENT_ID>",
      "client_secret": "<WLP_CLIENT_SECRET>",
      "scope":"openid profile email",
      "grant_types":[
        "authorization_code",
        "client_credentials",
        "password",
        "implicit",
        "refresh_token",
        "urn:ietf:params:oauth:grant-type:jwt-bearer"
      ],
      "response_types":[
        "code",
        "token",
        "id_token token"
      ],
      "application_type":"web",
      "subject_type":"public",
      "post_logout_redirect_uris":[
        "https://<ICP_PROXY_IP>:<PORT_WHERE_SERVICE_RUNS>"   ],
      "preauthorized_scope":"openid profile email general",
      "introspect_tokens":true,
      "trusted_uri_prefixes":[
        "https://<ICP_ENDPOINT>:<port>", "https://<ICP_PROXY_IP>"    ],
      "redirect_uris":["https://<ICP_PROXY_IP>:<PORT_WHERE_SERVICE_RUNS>/auth/liberty/callback"]
      }
      

   5. Create the customized version of your platform-oidc-regisration.json content by editing the sample content.
      The wlp_client_id and wlp_client_secret can be generated by the content service. Your output might resemble the following code:

      wlp_client_id: {{ randAlphaNum 32 | b64enc | quote }}
      wlp_client_secret: {{ randAlphaNum 32 | b64enc | quote }}
      

      The redirect_uris is the callback URL that the Websphere Liberty server can call to complete the OAUTH dance.

3. Register a client to the IBM Cloud Private authentication service.

   The first step towards onboarding the workload to the IBM Cloud Private's authentication service is to register itself as a client of the IBM Cloud Private's authentication service based on Liberty. The registration is an important step because it’s through this registration that the IBM Cloud Private's authentication service knows that the workload is:

   • An authorized client of IBM Cloud Private's authentication service
   • The authentication service knows where to redirect requests for this client post successful authentication

   Most of the content workloads have a login page of their own and would want to redirect to their service-specific dashboard page post successful login.

   From your Kubernetes pod, run the following API command:

   curl -i -k -X POST -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET -H "Content-Type: application/json" --data @platform-oidc-registration.json https://icp-ip:port/idauth/oidc/endpoint/OP/registration
   

Authentication enforcement by workloads

After you register the content service as a client of IBM Cloud Private authentication service, you can use the IBM Cloud Private OIDC authentication endpoints to enforce authentication.

The following standard OIDC APIs are supported by IBM Cloud Private:

- https://icp-ip:port/v1/info
- https://icp-ip:port/v1/auth/token
- https://icp-ip:port/v1/auth/authorize
- https://icp-ip:port/v1/auth/userInfo
- https://icp-ip:port/v1/auth/introspect
- https://icp-ip:port/v1/auth/

UI authentication - OAUTH Dance implementation

The /authorize endpoint from the list of OIDC APIs can be used by the content service for its user interface based login. This API requires the client ID and secret to be passed to IBM Cloud Private authentication service to make out where the user has to be redirected to post successful authentication. This is the redirect_uris that are specified during the client registration process.

The redirect_uris is the callback that the Liberty server can call for completing the OAUTH Dance. This callback URL of the content service should take the authorization code and then send the /token request to get the valid access tokens. With these tokens set in the session, the content service can forward the request to the intended page on its service from successful authentication.

CLI authentication

The /identitytoken API endpoint is an IBM Cloud Private specific API that can be used for enforcing authentication from the command line. After you log in, the /introspect and /user API endpoints can be used by the content service to validate the user authentication.

Configuring single sign-on

You can configure single sign-on for the services and application by using IBM Cloud Private authentication service.

The content service can achieve single sign-on for its services and applications by using the IBM Cloud Private's authentication service. The service can check for the validity of the token in the browser session by calling the OIDC token validation APIs. If the tokens are valid, then you are not directed to the login page but can log in by using the token from the other unexpired session.

• Service policy onboarding for Helm
  
• PDP bulk AuthZ API