OpenID configuration - tokenseckey (tC)
- Matthias Rieck
With tokenseckey login, the user must request an access token from the authentication server. With this token he can then request the CMIS interface. In case SAP tries to open the Document in an external Browser, SAP remove the token from the Request and opens a generated CMIS URL with a seckey and an expirationdate.
Please make sure that the issued access token provides the claim "preferred_username" at the authentication server. This is required for authentication against the CMIS interface.
tokenseckey
If you have decided to use the tokenseckey authentication you have to configure an .audience and a .discovery.url parameter in the repositoy.cfg.
The .audience defines the resource identifier. The requested token must provide this predefined identifier so that the CMIS interface can validate access to its resources.
The .discovery.url defines the location of the openid configuration of the authentication server. This endpoint always ends with “/.well-known/openid-configuration“. However, the exact URL must be looked up per authentication server.
<Repo>.authentication.cmis.type = tokenseckey
<Repo>.authentication.cmis.idprovider = openid
<Repo>.authentication.cmis.openid.audience = api://cmis
<Repo>.authentication.cmis.openid.discovery.url = http://localhost:8080/realms/test/.well-known/openid-configurationrole mapping
tokenseckey support the mapping of roles, i.e. mapping the currently three internal role names to the actually used roles names in the auth system.
Be aware: this does not apply for Requests that are opened (getContentStream) in an external Browser.
<Repo>.authentication.cmis.openid.roles.admin = tia-cloud.core-fullaccess
<Repo>.authentication.cmis.openid.roles.writer = tia-cloud.core-readwrite
<Repo>.authentication.cmis.openid.roles.reader = tia-cloud.core-readonly