Prev Next

Authorizing Users in a Model that Supports OpenID Authentication

OSLC implementation in ProCloud Server supports a type of OpenID authentication called 'Authentication using the Authorization Code Flow'. The process of authorizing the user has these steps:

  1. The user sends an authorization request to the Authorization Endpoint in the OpenID Server.
  2. OpenID Server authenticates the user and sends them an Authorization Code.
  3. The user POSTs the Authorization Code to OSLC using the /oslc/am/login/ call.
  4. OSLC validates the Authorization Code by contacting the OpenID Server.
  5. Successful validation returns XML containing the User Authentication Token (amongst other information) in the XML element 'ss:useridentifier'.

User Authentication Token in a Model that Supports OpenID Authentication

Step

Action

1

Determine the Authorization Endpoint in the OpenID Server by retrieving the Service Provider Resource (using the /oslc/am/sp/ call). If the model supports OpenID Authentication, and if Pro Cloud Server is able to contact the OpenID Server, then the Authorization Endpoint will be available in the oslc:authorizationURI element.

2

Send a GET request to the Authorization Endpoint, with these URL parameters to authorize the user via a Web Browser:

  • response_type
  • client_id
  • scope
  • redirect_uri

The authorization request will have this format:

<AUTHORIZATION ENDPOINT>?response_type=code&client_id=<CLIENT ID>&scope=<SCOPE>&redirect_uri=<REDIRECT URI>

For example:

http://192.168.1.106:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=WebEA&scope=openid&redirect_uri=http://localhost/openid/callback

3

When authenticated, the OpenID Server will send an Authorization Code back to the user as a URL parameter in the redirect URI.

For example :

http://localhost/openid/callback?session_state=18f42600&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..yP6Yee4H_4

4

Retrieve the value of the URL parameter code and send it to OSLC by POSTing it to:

URL : <protocol>://<server>/<model_name>/oslc/am/login/

POST Body : sso=openid;code=<AUTHORIZATION CODE>;redirecturi=<REDIRECT URI>

For example, the POST Body might be:

sso=openid;code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..yP6Yee4H_4;redirecturi=http://localhost/openid/callback;

5

OSLC validates the Authorization Code by contacting the OpenID Server and, if successful, returns a response XML that contains a User Authentication Token.

Pass this User Authentication Token with every OSLC Resource/Resource Feature Create, Update, Retrieve and Delete request.

Notes

  • This facility is available in the Enterprise Architect Pro Cloud Server Small Business Edition, Team Server Edition and Enterprise Server Edition, under Enterprise Architect Release 13.5 or higher
  • An OSLC request will not be processed by the Pro Cloud Server unless the User Authentication Token is passed in with the request on a security-enabled model
  • In a security-enabled model, after 30 minutes of inactivity you are automatically logged out; you will have to log in again by POSTing the User Credentials to the credential validation URL
  • In the Authorization Endpoint GET request, values for the URL parameters 'client_id', 'scope' and 'redirect_uri' will be defined/available in the OpenID Server configuration

Learn more