Details
-
Feature
-
Status: Released (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Current Situation
- JOC Cockpit supports a number of Identity Service Providers including LDAP, Vault and Keycloak.
Feature
- JOC Cockpit offers native support for OIDC authentication with a new Identity Service:
- Users register JOC Cockpit with their preferred authentication service that supports OIDC.
- The JOC Cockpit GUI implements OIDC based authentication.
- The JOC Cockpit Web Services verify authentication according to the OIDC protocol.
- OIDC support includes authentication, not authorization.
- Assignment of roles to users is performed with JOC Cockpit as there is no reason to trust authentication servers to securely assign policies (roles) to users.
- Users without role assignment in JOC Cockpit can login but cannot perform any operation in the GUI/Web Services.
Maintainer Note
- This feature follows the KISS principle and by design is limited to OIDC with no support for OAuth 2.0.
- OAuth 2.0 offers a too wide attack surface due to its extended capabilities for session management and authorization features that are not required for JOC Cockpit.