[JOC-1525] Add support for OIDC authentication with Microsoft Azure - SOS JIRA

XML

Word

Printable

Current Situation

JOC Cockpit supports OIDC authentication. This protocol has been tested for example with the Keycloak Identity Provider.
For a number of other OIDC identity Providers including Azure this does not work as they do not return the expected object and property with their response:
- JOC Cockpit expects the claims_supported object to be available.
- In this objects one of the properties username or email is used.
As a result a user can authenticate but the name of the Azure account is not mapped to a JOC Cockpit account. Therefore the user is not assigned a role and permissions.

Desired Behavior

The following strategy is applied to identify the attribute used to map to the JOC Cockpit account:
- the URL https://<identity-provider>/.well-known/openid-configuration is called.
- the response is checked for the object claims_supported
  - if not available or empty then the email attribute will be used
  - if available and if it includes the preferred_username attribute then this attribute will be used.
- if no attribute has been identified then the email attribute is used.
For OIDC Settings the JOC Cockpit offers to add the name of the expected attribute.

Note

Workaround

A patch is available for use with JOC Cockpit 2.5.1 and 2.5.2
Download https://download.sos-berlin.com/patches/2.5.2-patch/patch-20230323-JOC-1525.2.5.2.jar
Find instructions how to apply the patch from JS7 - Patches for JOC Cockpit