Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/openconext/openconext-access


https://github.com/openconext/openconext-access

Last synced: about 1 year ago
JSON representation

Awesome Lists containing this project

README 

          
# OpenConext-Access



[![Build Status](https://github.com/OpenConext/OpenConext-Access/actions/workflows/actions.yml/badge.svg)](https://github.com/SOpenConext/OpenConext-Access/actions/workflows/actions.yml/badge.svg)

![Coverage](.github/badges/jacoco.svg)

![Branches](.github/badges/branches.svg)



## [Getting started](#getting-started)



### [System Requirements](#system-requirements)



- Java 21

- Maven 3



First install Java 21 with a package manager

and then export the correct the `JAVA_HOME`. For example on macOS:



```bash

export JAVA_HOME=/Library/Java/JavaVirtualMachines/openjdk-21.jdk/Contents/Home/

```



Then create the MySQL database:



```sql

DROP DATABASE IF EXISTS access;

CREATE DATABASE access CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci;

CREATE USER 'access'@'localhost' IDENTIFIED BY 'secret';

GRANT ALL privileges ON `access`.* TO 'access'@'localhost';

```



### [Building and running](#building-and-running)



This project uses Spring Boot and Maven. To run locally, type:



```bash

mvn spring-boot:run

```



To build and deploy (the latter requires credentials in your maven settings):



```bash

mvn clean deploy

```



### [Mail](#mail)



In the default `application.properties` the mail host is `localhost` and the port is `1025`. Run mailpit to capture mails.

See 



### [Endpoints](#endpoints)



### [Mock](#mock)



If you want to use the mock-provisioning, add the following metadata in Manage.



SCIM:



```json

"provisioning_type": "scim",

"scim_url": "https://mock.test.surfconext.nl/api/scim/v2",

"scim_user": "user",

"scim_password": "secret",

"scim_update_role_put_method": true

```



eVA



```json

"provisioning_type": "eva",

"eva_token": "secret",

"eva_guest_account_duration": 30

"eva_url": "https://mock.test.surfconext.nl/eva",

```



Graph



```json

"provisioning_type": "graph",

"graph_url": "https://mock.test.surfconext.nl/graph/users",

"graph_client_id" : "client_id",

"graph_domain" : "hartingcollege.onmicrosoft.com",

"graph_secret" : "secret",

"graph_tenant": "tenant"

```



### [Local endpoints](#local-endpoints)



Login with Mujina IdP and user `admin` to become super-user in the local environment



### [Institution Admin](#institution-admin)



To become an institution admin in access, add the following values as `eduPersonEntitlements` using Mujina:



- urn:mace:surfnet.nl:surfnet.nl:sab:organizationGUID:ad93daef-0911-e511-80d0-005056956c1a

- urn:mace:surfnet.nl:surfnet.nl:sab:role:SURFconextverantwoordelijke



### [Technical documentation](#technical-documentation)



### Security



There are several security filters in Access:



- OAuth2 login where the user logs in with OpenIDConnect. Access is acting as a backend server and cookies are used to

  identify the user in the security context.

- Access token login where the user has logged in with OpenIDConnect and the client obtained an access token. Access is

  acting as a resource server. The API is stateless and for now no token introspects are cached.

- Basic Authentication for voot, teams, aa, profile, deprovision and sp_dashboard endpoints. The API is stateless and

  the API users are stored in memory. Endpoints are also secured by scope.

- API token header (`X-API-TOKEN`) generated for institutional_admins (or super_users) in the GUI. The user stored in

  the security context is the first user with the same organisational GUID (or super_user) as the user who has generated

  the token.



### Provisioning Secrets



The secrets (passwords / API-keys) used in provisionings are encrypted in OpenConext-Manage using keypairs.



#### Create private / public keypair



```bash

openssl genrsa -traditional -out private_key.pem 2048

openssl rsa -pubout -in private_key.pem -out public_key.pem

```



#### Convert private key to pkcs8 format in order to import it from Java



```bash

openssl pkcs8 -topk8 -in private_key.pem -inform pem -out private_key_pkcs8.pem -outform pem -nocrypt

```