[Feature]: Support OpenId Connect Identity Provider

[raffaeler]

Feature request

I see from the tests and from this issue that DAB already supports JWT authentication and authorization, but I was not able to find any configuration detail for that.

This is a feature request requiring two consecutive steps:

1. Provide documentation on how to specify the client secret and the other configuration details to spend a JWT token created by an external Identity Provider
2. Provide extended support for OpenId Connect standard (which is well supported in .NET) so that all the configuration details can be inherited from the metadata endpoint of the Identity Provider supporting OpenId Connect.

The ultimate goal is to make DAB nicely play with Keycloak Identity Provider in container. Keycloak supports federation to external Identity Providers and allows to transform the claimset coming from external IPs making easier to add any cloud provider like Microsoft, Cognito, Google, GitHub, etc.

Version

1.1.7

What database are you using?

Azure SQL

What hosting model are you using?

Local (including CLI), Custom Docker host

Which API approach are you accessing DAB through?

REST, GraphQL

Relevant log output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[seantleonard]

Thank you for your feedback, @raffaeler

Can you provide more details about the end-to-end workflow you want DAB to support?

• Is your intention that DAB reach out to Keycloak for validating any JWT tokens supplied to DAB? If so, this config shows how you configure DAB's IssuerURI (to retrieve signing keys, etc), and specify the client ID : https://learn.microsoft.com/azure/data-api-builder/reference-configuration#json-web-tokens-host-runtime

{
  "runtime": {
    "host": {
      "authentication": {
        "jwt": {
          "audience": "<string>",
          "issuer": "<string>"
        }
      }
    }
  }
}

• Or your intention for DAB to validate any tokens minted by the list of providers: "Microsoft, Cognito, Google, GitHub, etc."
  • If so, the request seems related to Determine Social Provider Login Support (Facebook, Google) with StaticWebApps & App Service #719 which is on the backlog.

[raffaeler]

Thanks for your answer @seantleonard

For the first step, I just need to validate the JWT. I already knew the web page you linked but I am not familiar with Azure Static Web Apps. I recognize the "runtime", "host" and "authentication" sections but I am not sure where I should save the config file when I run dab (or when starting it in a container).
In traditional asp.net core apps, when I configure the webapi to use JWT auth, I usually use the client secret to validate the token. Let me understand this other flow please.

For the step 2, I need to authenticate the developer accessing the data interactively. This includes the swagger and graphql pages.
In this case, the OpenId Connect support would open to any modern IP.
Just to be clear, I don't want dab to directly redirect to external providers like Microsoft, Cognito, Google and GitHub. I need to pass through Keycloak because it gives me the ability to "refactor" the claims which are different on each provider. It also gives me the ability to use KC APIs for administrative purposes and much more.

Thanks

[rodwin]

I am exactly looking for the same information on how to integrate other identity provider like keycloak

[raffaeler]

@seantleonard Could you please tell me whether point 1 of my original message is already doable?
I don't see any mention in the code to the client secret to make DAB decode the JWT and evaluate the claims.
Thanks!

[theo-auffeuvre]

I am very interessed about this feature too !
(@raffaeler did you find a work around ?)

[raffaeler]

@theo-auffeuvre unfortunately not and unfortunately this is one of the two issues that blocked us to use this great tool

[rgn]

@rodwin, @raffaeler, @theo-auffeuvre It is possible to use Keycloak as IDP with data api builder with two small changes to the code. This change is related to some quicks with asp.net and Keycloak.

I've forked this repo and created a branch with the changes. Feel free to take a look: https://github.com/rgn/data-api-builder/tree/feature/support-keycloak

DISCLAIMER: this will not work with the original version!

1. Your dab-config.json should be like this when using that specific version of dab api builder:

{
  "$schema": "https://github.com/Azure/data-api-builder/releases/download/v1.4.26/dab.draft.schema.json",
  "data-source": {
      ...
    }
  },
  "runtime": {
    ...
    "host": {
      ...
      "authentication": {
        "provider": "AzureAD",
        "jwt": {
          "issuer": "<your-realm>", // e.g. http://localhost:3255/realms/my-realm
          "audience": "<audience>", // e.g. account
          "metadatadddress": "<url to well-known>" // http://localhost:3255/realms/my-realm/.well-known/openid-configuration
        }
      },
      "mode": "production"
    }
  },

I re-used AzureAD because it was not that straight forward to introduce another provider. Reason to this is there are static strings checking from AzureAD and EntraID.

2. Additionally you need to change the configuration within Keycloak.

Login to Keycloak > Select your realm >

2.1) Add role(s) according to you configuration e.g. administrator
2.2) Map role(s) to group(s) or user(s)
2.3) Client Scopes > roles > Mappers > (either select realm or client roles, however you manage your roles)

Example

Change Token Claim Name to roles (should be realm_access.roles)

2.4) If you navigate to your Client > Client Scopes > Evaluate, select a user and open Generate access token

{
...
"roles": [
  "administrator",
  ...
],
...
}