{"type":"doc","content":[{"type":"paragraph","content":[{"text":"There is a possibility to choose between two login types.","type":"text"}]},{"type":"paragraph","content":[{"text":"With token login, the user must request an access token from the authentication server. With this token he can then request the CMIS interface.","type":"text"}]},{"type":"paragraph","content":[{"text":"In case of basic login the user requests the CMIS interface with username and password and the CMIS interface then generates an Access Token with these credentials at the authentication server.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Please make sure that the issued access token provides the claim \"preferred_username\" at the authentication server. This is required for authentication against the CMIS interface.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"token","type":"text"}]},{"type":"paragraph","content":[{"text":"If you have decided to use the token authentication you have to configure an ","type":"text"},{"text":".audience","type":"text","marks":[{"type":"em"}]},{"text":" and a ","type":"text"},{"text":".discovery.url","type":"text","marks":[{"type":"em"}]},{"text":" parameter in the repositoy.cfg.","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":".audience","type":"text","marks":[{"type":"em"}]},{"text":" defines the resource identifier. The requested token must provide this predefined identifier so that the CMIS interface can validate access to its resources.","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":".discovery.url","type":"text","marks":[{"type":"em"}]},{"text":" defines the location of the openid configuration of the authentication server. This endpoint always ends with “/.well-known/openid-configuration“. However, the exact URL must be looked up per authentication server.","type":"text"}]},{"type":"codeBlock","content":[{"text":".authentication.cmis.type = token\n.authentication.cmis.idprovider = openid\n.authentication.cmis.openid.audience = api://cmis\n.authentication.cmis.openid.discovery.url = http://localhost:8080/realms/test/.well-known/openid-configuration","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"basic","type":"text"}]},{"type":"paragraph","content":[{"text":"The configurations described under ","type":"text"},{"text":"token ","type":"text","marks":[{"type":"strong"}]},{"text":"must also be made for basic.","type":"text"}]},{"type":"paragraph","content":[{"text":"Additionally ","type":"text"},{"text":".scope","type":"text","marks":[{"type":"em"}]},{"text":", ","type":"text"},{"text":".client","type":"text","marks":[{"type":"em"}]},{"text":" and ","type":"text"},{"text":".clientsecret","type":"text","marks":[{"type":"em"}]},{"text":" have to be configured.","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":".scope","type":"text","marks":[{"type":"em"}]},{"text":" specifies for which functions the token is to be issued by the authentication server. In our case, the scope must ensure that the authentication server issues our predefined ","type":"text"},{"text":".audience","type":"text","marks":[{"type":"em"}]},{"text":". If the issued token does not have this audience, the token will be rejected by our CMIS interface.","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":".client","type":"text","marks":[{"type":"em"}]},{"text":" and ","type":"text"},{"text":".clientsecret","type":"text","marks":[{"type":"em"}]},{"text":" are basically username and password for authentication to the authentication server. This informations must be read at the authentication server.","type":"text"}]},{"type":"codeBlock","content":[{"text":".authentication.cmis.type = basic\n.authentication.cmis.idprovider = openid\n.authentication.cmis.openid.audience = api://cmis\n.authentication.cmis.openid.discovery.url = http://localhost:8080/realms/test/.well-known/openid-configuration\n.authentication.cmis.openid.scope = openid\n.authentication.cmis.openid.client = test\n.authentication.cmis.openid.clientsecret = ETOCuq6c7RjEBwVqrGSDJ2LU4pH4iQbC","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"role mapping","type":"text"}]},{"type":"paragraph","content":[{"text":"Both variants support the mapping of roles, i.e. mapping the currently three internal role names to the actually used roles names in the auth system.","type":"text"}]},{"type":"codeBlock","content":[{"text":".authentication.cmis.openid.roles.admin = tia-cloud.core-fullaccess\n.authentication.cmis.openid.roles.writer = tia-cloud.core-readwrite\n.authentication.cmis.openid.roles.reader = tia-cloud.core-readonly","type":"text"}]}],"version":1}

Browser not supported