Oauth2 authentication Setup

    OAuth provides clients a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without providing credentials. For more details visit official Oauth2 website.

    For Plexus Connect to determine the active authentication server, the configuration file config.properties there needs to be created. This file needs to be saved on the server. We recommend to use the configuration folder.

    • for UNIX ~/.chemaxon/plexus-suite/config.properties
    • for Windows ~/chemaxon/plexus-suite/config.properties

    This configuration is activating by the following startup option:

    -Dcom.chemaxon.plexus.connect.configuration.propertiesFilePath=~/chemaxon/plexus-suite/config.properties"   

    Basic content of config.properties is shown on following example:

    authentication.type=oidc
    pass.uri=https://your.amazoncognito.com/oauth2/
    pass.jwk.uri=https://cognito-idp.your_location-1.amazonaws.com/your_location/.well-known/jwks.json
    pass.clientId=`client_ID`
    pass.clientSecret=`client_secret`
    pass.jwt.groupKey=group //name of the attribute in JWT where groups are listed
    #pass.jwt.roleKey=roles // name of the attribute in JWT where user roles are specified

    Or it can be a part of nps.properties

    From Connect perspective, the authentication server has to have all required services in OpenID Connect Session Management. Connect expect JWT token when trying to authorize against the server.
    JWT token has sub and email as mandatory attributes and the group and roles as optional, where one of them should be used with some custom name and properly mapped into a config.properties property file.

    When the pass.jwt.groupKey=group attribute is used, Connect will check the content of the JWT token to find the attribute group "group": ["connect-admins"]. In this case the User is in the group connect-admins. Then the Connect will check the content of the groupToRolesMapping.json where it will try to find connect-admins. It this example it will find the ["ROLE_ADMIN", "ROLE_EDIT_SCHEMA", "ROLE_CONNECT_ADMIN"] roles. As a result the loged in will have these roles assigned.

      {
        "sub": "someUSerIdOrClientId",
        "email": "emailOfUser",      
        "group": ["connect-admins"],
        "roles": ["ROLES"] //here the IJC_ROLES needs to be Specify
      }

    Bellow is the example of groupToRolesMapping.json where the mapped roles are stored.

    {
     "connect-admins": ["ROLE_ADMIN", "ROLE_EDIT_SCHEMA", "ROLE_CONNECT_ADMIN"],
     "connect-users": ["ROLE_USER"],
     "connect-exporters": ["ROLE_EXPORT_DATA"],
     "noGroup": []
    }

    More about user ROLES here

    For logout service implementation following piece of code can be useful:

    @GetMapping("/oauth/logout") //to be implemented by your oauth2 server
        public void exit(HttpServletRequest request, HttpServletResponse response) {
            // token can be revoked here if needed
            new SecurityContextLogoutHandler().logout(request, null, null); //logout on your oauth2 server
            System.out.println("Logging out attempt");
            try {
                //sending back to client app
                System.out.println("before send redirect");
                response.sendRedirect(request.getHeader("referer")); //redirect where you want, we redirect back
                System.out.println("after send redirect");
            } catch (IOException e) {
                System.out.println("error");
                e.printStackTrace();
            }    

    In the sections below, you can find basic demo tutorial, which helps you to easily set up this security solution for Plexus Conect. Oauth2_tutorial.