Access Control - OAuth 2.0
This extension will allow you to use OAuth2 integration for authentication in Axon Server. User accounts and roles from the OAuth provider are not synchronized to the Axon Server cluster, because no roles are associated with them. This means an account needs to be made in the cluster with the username from the provider, and roles assigned.
To install the OAuth Extension, you need to unpack the distribution ZIP-file, so the JAR files are in the "
exts" subdirectory of the working directory of Axon Server:
$ mkdir exts
$ unzip -j axon-server-extension-oauth-4.5-SNAPSHOT-bin.zip -d exts
Note that the actual version numbers may differ in your case.
The options used are:
axoniq.axonserver.accesscontrol.enabledThis must be set to "
true" to enable access control.
axoniq.axonserver.enterprise.oauth2.enabledThis must be set to "
true" to enable the OAuth extension.
axoniq.axonserver.enterprise.oauth2.modeSet this value to "
oidc" to use the generic OpenID Connect integration. The OpenID Connect integration is known to work with KeyCloak server.
For authentication using Google Apps accounts, you'll can use the following properties:
axoniq.axonserver.enterprise.oauth2.authorization-uriThis optional value can be used to configure the URI that will trigger the authentication using OAuth2. The default value is "
/oauth2/authorization" and should work fine.
spring.security.oauth2.client.registration.google.client-idThis should be set to the client-id provided by the Google Developer Console where you registered the cluster.
spring.security.oauth2.client.registration.google.client-secretThis should be set to the secret provided by the Google Developer Console where you registered the cluster.
spring.security.oauth2.client.registration.google.scopeThis setting is used to configure what information Google should share with the Axon Server cluster. A good value to use is "
axoniq.axonserver.enterprise.oauth2.username-map.googleThis setting tells the extension what value to use as username and requires that this value is provided by Google using the "
scope" setting described above. If the email address is to be used, as suggested above, the value should be "
axoniq.axonserver.enterprise.oauth2.request-paramsThis setting defines a map of parameters to add to the redirect URL, to customize the behavior of the provider's integration. For Google, if the users use the same browser with multiple Google accounts, a good setting to add is "
prompt", with value "
select_account":axoniq.axonserver.enterprise.oauth2.request-params.prompt=select_accountThis will force Google to always ask which account must be used to continue, even if there is only a single account in use, and that account is currently active.
axoniq.axonserver.enterprise.oauth2.forceOidcLogoutSetting this property to "
true" will ensure that, when the user logs out from the Axon Server UI, a logout request will also be sent to KeyCloak. If set to "
false" (the default), the user will still have a valid session in KeyCloak, and a subsequent login attempt using the same browser window may immediately succeed, without a prompt for a password. Naturally this is dependent on session validity settings within KeyCloak.
spring.security.oauth2.client.registration.oidcclient.client-idThis should be set to the client ID configured for Axon Server.
spring.security.oauth2.client.registration.oidcclient.client-secretThis should be set to the client secret configured for Axon Server.
spring.security.oauth2.client.registration.oidcclient.client-nameThis should be set to the client name configured for Axon Server.
spring.security.oauth2.client.registration.oidcclient.providerThis should be set to the value "
spring.security.oauth2.client.registration.oidcclient.scopeThis should be set to a (comma separated) list of the information that needs to be shared, typically "
spring.security.oauth2.client.provider.keycloak.issuer-uriThis should be set to the realm's URL on KeyCloak. For example, if the realm is named "
test-realm" and KeyCloak is exposed at "
http://keycloak-test:8090", then the value is "
axoniq.axonserver.enterprise.oauth2.username-map.oidcclientThis setting tells the extension what value to use as username. The suggested value is "
username", which refers to that value from the "
profile" scope. Alternatively, just as with the Google Apps integration mentioned above, you can use "
If a username is unknown in the Axon Server cluster, even when authentication succeeds, the user will not be allowed to log in. To allow this, a user with "
ADMIN" level access needs to create a user, optionally without a password, and assign the roles for this user. The Axon Server CLI has a special options ("
--no-password") to allow the creation of accounts without a password. Note that if you create an account with a password, this will allow the user to choose to use that as well as the OAuth integration.