Openboxes & IAM integration

I really appreciate your help to advance the implementation of openboxes.
Now that I have passed the installation and configuration of the required modules, I want to know if it is possible to integrate Openboxes with an “identity and access management” and thereby cover one of the company’s requirements: Integrate Openboxes with the IAM that it uses (Keycloak) .
I have read in the documentation that with openboxes you have the ability to authenticate through the directory service and even that you are planning to integrate with third party systems using the REST API.
I seek your advice to identify the best way to integrate Openboxes with some “identity and access management” like this without having to “reinvent the wheel”
thanks in advance for your support.

I’ve added a proof of concept OIDC implementation. I’ll share more information in the next day or two.

brilliant! Thank you so much

Ok so here’s the information I promised.

The code is still in development and has been pushed to the following branch / PR

We don’t use Sprint Security at the moment (we’re waiting until after our migration to Grails 3 / 4 which is in progress). So this OIDC implementation is admittedly a bit hacky. However, it seems to work for more than one identity provider so there’s that.

It works with Google and I’ve had it working with Azure for a period of time, but i’ve recently encountered an issue where Azure stopped sending me the email claim in the callback. I haven’t had time to debug that but essentially we are unable to properly complete the user registration / authentication process without performing some gymnastics.

FWIW I would be psyched to integrate with Keycloak so let’s keep in touch regarding your efforts there.

The code has been deployed to one of our test servers, but is currently broken due to a related auth issue. I’ll try to fix that in the next few days to weeks. Remind me if you don’t hear from me by next Friday.

Justin

Hello Justin,
Among the different topics in which we are advancing, we are still looking for a way to integrate Openboxes with Keycloak, but we have not yet achieved it. Well, here I am taking your help hoping you have had the opportunity to restore that server where you started the tests. Surely with the experience you already have and the skills of the team, we were able to implement this integration.
Thanks in advance.

I just pushed a bug fix to the OIDC branch (138-google-auth) a few minutes ago so it should be deployed to the demo4 server (Login) in a little bit. If it works you’ll be able to sign up with a Google account but you’ll still need to log in as with the default credentials (admin / password) to enable the new user.

Here’s a quick demo video (give it a few minutes to upload)

And here’s the config

# Google OAuth Client credentials
openboxes.oauth2Providers.google.enabled = true
openboxes.oauth2Providers.google.title = Google
openboxes.oauth2Providers.google.btnClass = btn btn-danger btn-block btn-google
openboxes.oauth2Providers.google.iconClass = fa fa-google
openboxes.oauth2Providers.google.redirectUrl = https://openboxes.ngrok.io/openboxes/openIdConnect/callback/google
openboxes.oauth2Providers.google.clientId = 599920567438-vf5202nb02kfr39jq1jri02nb9bdbrqk.apps.googleusercontent.com
openboxes.oauth2Providers.google.clientSecret = ********************************
openboxes.oauth2Providers.google.scopes = openid profile email
openboxes.oauth2Providers.google.responseType = code
openboxes.oauth2Providers.google.domainHint = openboxes.com
openboxes.oauth2Providers.google.openIdConfigurationUrl=https://accounts.google.com/.well-known/openid-configuration
openboxes.oauth2Providers.google.grantType = authorization_code

# Azure OAuth Client credentials
openboxes.oauth2Providers.microsoft.enabled = false
openboxes.oauth2Providers.microsoft.title = Microsoft
openboxes.oauth2Providers.microsoft.btnClass = btn btn-primary btn-block btn-microsoft
openboxes.oauth2Providers.microsoft.iconClass = fa fa-windows
openboxes.oauth2Providers.microsoft.clientId = 105b80a3-18cf-47c9-98ec-623374cc5412
openboxes.oauth2Providers.microsoft.clientSecret = ********************************
openboxes.oauth2Providers.microsoft.openIdConfigurationUrl=https://login.microsoftonline.com/openboxes.com/.well-known/openid-configuration
openboxes.oauth2Providers.microsoft.scopes = email openid profile
openboxes.oauth2Providers.microsoft.responseType = code
#openboxes.oauth2Providers.microsoft.domainHint =
openboxes.oauth2Providers.microsoft.grantType = authorization_code

# Amazon OAuth Client credentials
openboxes.oauth2Providers.amazon.enabled = false
openboxes.oauth2Providers.amazon.title = Amazon
openboxes.oauth2Providers.amazon.btnClass = btn btn-warning btn-block btn-amazon
openboxes.oauth2Providers.amazon.iconClass = fa fa-amazon
openboxes.oauth2Providers.amazon.clientId = amzn1.application-oa2-client.abd4d68b099b4340a48835a7c49b261b
openboxes.oauth2Providers.amazon.clientSecret = ********************************
openboxes.oauth2Providers.amazon.scopes = openid profile
openboxes.oauth2Providers.amazon.responseType = code
#openboxes.oauth2Providers.amazon.domainHint = 
openboxes.oauth2Providers.amazon.openIdConfiguration.authorization_endpoint = https://www.amazon.com/ap/oa
openboxes.oauth2Providers.amazon.openIdConfiguration.token_endpoint = https://api.amazon.com/auth/O2/token
openboxes.oauth2Providers.amazon.openIdConfiguration.end_session_endpoint =
openboxes.oauth2Providers.amazon.grantType = authorization_code