Keycloak supports all the standards of MFA and SSO. User can choose (or be forced to user) Authenticator app, hardware token or email code, etc.

Important

Old download plans and uploaded software without owner will be deleted. The affected records were created by older version of PDM.control created up to end of year 2020.

PM decided to not migrate disabled users. This may result dead objects in database. See chapter Dead objects in database for more details.

Please note that login names of migrated uses may be changed if they contains invalid characters for Keycloak. Such a characters are for example @ and <space> `. They will be replaced by `_ character.

Keycloak setup

Install and configure Keycloak server. Set properties of your instance like it is shown in the example below.

Example of Keycloak configuration for PDM.control
pcon:
  keycloak:
    url: https://auth.pdm-dev.de
    realm: pdm-dev
    ui-client-id: pdm-dev-ng
    backend-client-id: internal-backend-client
    backend-client-secret: "the secret"

Dead objects in database

Generally if there is user removed from Keycloak related objects stays in the database but they are not reachable from user interface. Such objects may perform some actions if they are not removed from database. It is probably necessary to remove them or re-assign to another user.

Affected objects are for example:

  • forwarding rules

  • remote actions

  • bonus disposables

  • download plans

  • software descriptions

It is difficult to find such an objects later. Maybe we need some report to find such objects.

PM clarification is needed.

How to remove initially dead objects from database

After initial migration some objects may became dead because their owners were not migrated. Such an objects are marked by user ID 00000000-0000-0000-0000-000000000000. Some objects from tables

  • forwarding_rule

  • remote_action

  • bonus_disposable

  • download_plan

  • software_description

may contain references to users which were not migrated. Such objects are not reachable any more from user interface but they still may perform some action. You can find them using following SQL queries:

SELECT * FROM control.forwarding_rule WHERE fwr_kc_user_id = '00000000-0000-0000-0000-000000000000'::uuid;
SELECT * FROM control.remote_action  WHERE kc_user_id = '00000000-0000-0000-0000-000000000000'::uuid;
SELECT * FROM control.bonus_disposable WHERE kc_user_id = '00000000-0000-0000-0000-000000000000'::uuid;
SELECT * FROM control.download_plan WHERE dwp_modified_by_kc_user_id = '00000000-0000-0000-0000-000000000000'::uuid;
SELECT * FROM control.software_description WHERE swd_author_kc_user_id = '00000000-0000-0000-0000-000000000000'::uuid;

Convert query to delete statement to remove such records from database if needed.

Add configuration to access Keycloak Internal Client for PDM.control

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: "https://auth.pdm-dev.de/realms/pdm-dev" (1)
      client:
        registration:
          internal-backend-service: # Your unique ID for this client
            client-id: "internal-backend-client" (2)
            client-secret: "qP1Xih86TZb5p3EYaPT65ohyDPzYu0SB" (3)
            authorization-grant-type: client_credentials (4)
            scope: "openid" #"read,write" # Scopes required by the target API
        provider:
          internal-backend-service:
            token-uri: "https://auth.pdm-dev.de/realms/pdm-dev/protocol/openid-connect/token"

  1. Replace pdm-dev with your Keycloak realm name

  2. Client ID registered in Keycloak

  3. Client Secret generated in Keycloak

  4. Authorization grant type for client credentials flow

    • client_credentials

      • What it is: A "machine-to-machine" flow.

      • The Flow: There is no "user" involved. The application sends its client-id and client-secret directly to get a token.

      • Best for: Background tasks, cron jobs, or microservices talking to other microservices.

    • authorization_code

      • What it is: The most common and secure flow for web applications.

      • The Flow: The user is redirected to the provider (e.g., GitHub), logs in, and is sent back to your app with a temporary code. The app then exchanges that code for an access token.

      • Best for: Standard web apps where the user is present.

    • password (Resource Owner Password Credentials)

      • What it is: The user gives their username and password directly to the app.

    • The Catch: This is deprecated. It’s considered a security risk because your application handles the user’s actual password. Best for: Highly trusted legacy applications only.