diff --git a/schemas/gateway-schema.json b/schemas/gateway-schema.json index f5774eb6f0..2dcf5b9492 100644 --- a/schemas/gateway-schema.json +++ b/schemas/gateway-schema.json @@ -364,6 +364,57 @@ } } ] + }, + "oidc": { + "type": "object", + "description": "OIDC configuration.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable authentication with OIDC token.", + "default": false + }, + "registry": { + "type": "string", + "description": "Registry name." + }, + "jwks": { + "type": "object", + "description": "JWKS configuration", + "properties": { + "uri": { + "type": "string", + "description": "JWK set URL for OIDC token validation." + }, + "refreshInternalHours": { + "type": "integer", + "description": "How often are JWKs renewed.", + "default": 1 + } + } + }, + "userInfo": { + "type": "object", + "description": "OIDC user info endpoint configuration", + "properties": { + "uri": { + "type": "string", + "description": "OIDC user info endpoint URL." + } + } + }, + "validationType": { + "type": "string", + "description": "How OIDC token is validated.", + "enum": ["JWK","endpoint"], + "default": "JWK" + } + } + }, + "allowtokenrefresh": { + "type": "boolean", + "description": "Allow JWT to refresh.", + "default": false } } }, diff --git a/zaas-package/src/main/resources/bin/start.sh b/zaas-package/src/main/resources/bin/start.sh index c9a08e2db7..2bfe0b506d 100755 --- a/zaas-package/src/main/resources/bin/start.sh +++ b/zaas-package/src/main/resources/bin/start.sh @@ -344,8 +344,6 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${ZAAS_CODE} ${JAVA_BIN_DIR}java \ -Dapiml.security.authorization.resourceNamePrefix=${ZWE_configs_apiml_security_authorization_resourceNamePrefix:-${ZWE_components_gateway_apiml_security_authorization_resourceNamePrefix:-APIML.}} \ -Dapiml.security.zosmf.applid=${ZWE_configs_apiml_security_zosmf_applid:-${ZWE_components_gateway_apiml_security_zosmf_applid:-IZUDFLT}} \ -Dapiml.security.oidc.enabled=${ZWE_configs_apiml_security_oidc_enabled:-${ZWE_components_gateway_apiml_security_oidc_enabled:-false}} \ - -Dapiml.security.oidc.clientId=${ZWE_configs_apiml_security_oidc_clientId:-${ZWE_components_gateway_apiml_security_oidc_clientId:-}} \ - -Dapiml.security.oidc.clientSecret=${ZWE_configs_apiml_security_oidc_clientSecret:-${ZWE_components_gateway_apiml_security_oidc_clientSecret:-}} \ -Dapiml.security.oidc.registry=${ZWE_configs_apiml_security_oidc_registry:-${ZWE_components_gateway_apiml_security_oidc_registry:-}} \ -Dapiml.security.oidc.identityMapperUrl=${ZWE_configs_apiml_security_oidc_identityMapperUrl:-${ZWE_components_gateway_apiml_security_oidc_identityMapperUrl:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/certificate/dn"}} \ -Dapiml.security.oidc.identityMapperUser=${ZWE_configs_apiml_security_oidc_identityMapperUser:-${ZWE_components_gateway_apiml_security_oidc_identityMapperUser:-${ZWE_zowe_setup_security_users_zowe:-ZWESVUSR}}} \ diff --git a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java index dd1aedd243..31e60fa203 100644 --- a/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java +++ b/zaas-service/src/main/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWK.java @@ -58,12 +58,6 @@ public class OIDCTokenProviderJWK implements OIDCProvider { @Value("${apiml.security.oidc.registry:}") String registry; - @Value("${apiml.security.oidc.clientId:}") - String clientId; - - @Value("${apiml.security.oidc.clientSecret:}") - String clientSecret; - @Value("${apiml.security.oidc.jwks.uri}") private String jwksUri; diff --git a/zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWKTest.java b/zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWKTest.java index 9bd164b3f2..55399ac62a 100644 --- a/zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWKTest.java +++ b/zaas-service/src/test/java/org/zowe/apiml/zaas/security/service/token/OIDCTokenProviderJWKTest.java @@ -19,9 +19,6 @@ import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.EmptySource; -import org.junit.jupiter.params.provider.NullSource; import org.mockito.MockedStatic; import org.mockito.Mockito; import org.mockito.junit.jupiter.MockitoExtension; @@ -59,8 +56,6 @@ void setup() throws CachingServiceClientException { oidcTokenProviderJwk = new OIDCTokenProviderJWK(new DefaultClock()); ReflectionTestUtils.setField(oidcTokenProviderJwk, "jwkRefreshInterval", 1); ReflectionTestUtils.setField(oidcTokenProviderJwk, "jwksUri", "https://jwksurl"); - oidcTokenProviderJwk.clientId = "client_id"; - oidcTokenProviderJwk.clientSecret = "client_secret"; } @Nested @@ -164,26 +159,6 @@ void whenTokenIsEmpty_thenReturnInvalid() { } } - @Nested - class GivenInvalidConfiguration { - - @ParameterizedTest - @NullSource - @EmptySource - void whenInvalidClientId_thenReturnInvalid(String id) { - oidcTokenProviderJwk.clientId = id; - assertFalse(oidcTokenProviderJwk.isValid(TOKEN)); - } - - @ParameterizedTest - @NullSource - @EmptySource - void whenInvalidClientSecret_thenReturnInvalid(String secret) { - oidcTokenProviderJwk.clientSecret = secret; - assertFalse(oidcTokenProviderJwk.isValid(TOKEN)); - } - } - @Nested class JwksUriLoad {