Versions Compared

Version Old Version 3 New Version Current
Changes made by

Aryn Wiebe

Richard Wang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

This document focus on the following:

  • Customer has

...

  • a central user management system such as keyCloak

  • Customer wants to use KeyCloak to login into Iguana

  • Leverage KeyCloak API and Iguana External Authentication with From HTTPS Channel for login

Design

...

Considerations

  • Recommended to use a dedicated Iguana with a From HTTP Channel for Authentication, separate from the Production Iguana (Note: API call temporarily logs Username and Password).

  • When external authentication is used, Iguana creates an “Ad Hoc” user session. Iguana will create an Ad Hoc user with no permissions if there are no matching Roles setup in both Iguana and KeyCloak. If a matching Iguana Role exists, Iguana will login the Ad Hoc user with the matching Iguana Roles. 

  • The KeyCloak password and Iguana password do not need to match. Only the Role names.

How to

KeyCloak Sandbox Configuration

...

If the user exists in KeyCloak and the request is successful, have Iguana respond and log a 1 with a list of all assigned Roles.

Code Example

Code Block
languagelua
function main(Data)

   -- Parse login GET Request for username and password
   local request = net.http.parseRequest{data=Data}
   local name = request.get_params.name
   local pass = request.get_params.password

   local success = false

   -- validate username and password in KeyCloak
   -- if success, log 1 and list of assigned roles.
   success, roles = validateViaKeycloak(name, pass)

   if success then
      body = '1'
      for _, role in pairs(roles) do
         body = body .. '\r\n' .. role
      end
   else
      body = '0'
   end

   local Response = net.http.respond{
      body = body,
      entity_type = "text/plain"
   }

   iguana.logInfo('Returning "' .. body .. '" for: ' .. name)

end



-- Authenticate user with KeyCloak
function validateViaKeycloak(name, pass)
   local clientId = 'iguana'
   local tokenURL = 'http://localhost:8080/realms/master/protocol/openid-connect/token'

   local tokenRequest = net.http.post{
      url = tokenURL,
      headers = {['Content-Type']='application/x-www-form-urlencoded'},
      parameters = {
         ['grant_type'] = 'password',
         ['client_id']  = clientId,
         ['username']   = name,
         ['password']   = pass
      },
      live=true
   }

   local response = json.parse{data=tokenRequest}
   local token = response.access_token

   -- If query succeeds, returns a valid token with user details, nil otherwise.
   if token == nil then
      return false
   else
      return true, getRoles(name, token)
   end
end


function getRoles(name, token)
   -- split and decode jwt payload containing user roles
   local roles = {}
   local jwt = token:split('.')
   local payload = filter.base64.dec(jwt[2])
   local payloadDetails = json.parse(payload)
   local roles = payloadDetails.realm_access.roles

   return roles 
end

Reference

...