# RMP Zahlz/Q1 - Vertical Prototype Authentication ## IAM Configuration The Keycloak IAM configuration is added to the `dkv` realm as client `zahlz-client` with the following specifics regardless of the deployment stage: * Client Protocol: openid-connect * Client Template: dkvcard-mappers * Access Type: confidential * Implicit Flow Enabled: On * Valid Redirect URI: * * Inherit Template Mappers: On * Inherited Mappers: scope-mapper with Hardcoded Claim scope having a JSON string value of `dkvcard` ## API TODO ### Authentication Authentication is performed by following OAuth2 conforming Authorization Code Flow and results in authorization code, access and refresh token. The respective endpoints for retrieving those are Stage | Auth endpoint | Token endpoint -|-|- DEV|https://your-dev.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/auth|https://your-dev.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/token TEST|https://your-test.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/auth|https://your-test.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/token PREPROD|https://your-preprod.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/auth|https://your-preprod.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/token PROD|https://your.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/auth|https://your.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/token ## Token structure ```{ "jti": "045d6923-0be5-4acf-8849-8824c9693530", "exp": 1589296421, "nbf": 0, "iat": 1589296121, "iss": "https://your-test.dkv-euroservice.com/auth/realms/dkv", "aud": "zahlz-client", "sub": "f:13a76da3-d23f-4204-864f-5c5c39493eb7:10560", "typ": "Bearer", "azp": "zahlz-client", "nonce": "32725e0b-cd92-43ea-aa4d-5893610cc45a", "auth_time": 1589295953, "session_state": "39d5fd47-4cfe-4cf9-a2ab-9cbdfc5dd653", "acr": "0", "allowed-origins": [], "resource_access": { "zahlz-client": { "roles": [ "DKV_TEAM_FUEL", "DKV_EREPORTING_PREMIUM", "DKV_TRANSLATION_MANAGER_ADMIN", "DKV_WS_POOL_PRICES_SOURCE", "DKV_COCKPIT_ESERVICES_VIEW", "DKV_COCKPIT_REFUND_VIEW", "DKV_COCKPIT_ADMIN", "DKV_WS_POOL_UNPUBLISHED_DATA", "DKV_ESERVICES_ADMIN", "DKV_COCKPIT_INVOICE_CONFIG", "DKV_COCKPIT_TOLL_VIEW", "DKV_EMOBILITY", "DKV_WS_POOL_PRICES", "DKV_TISPL_TICKET_ADMIN", "DKV_EREPORTING_ADMIN", "DKV_TEAM_ESERVICES_POI", "DKV_CUSTOMER_MULTI_USER_SELECT", "DKV_EREPORTING", "DKV_TRANSLATION_MANAGER_ADVANCED", "DKV_COCKPIT_ESERVICES_CONFIG", "DKV_WEB_ADMIN", "DKV_COCKPIT_TOLL_ADMIN", "DKV_WS_POOL", "DKV_COCKPIT_CUSTOMER_LIMIT_CONFIG", "DKV_TRANSLATION_MANAGER", "DKV_WIT_CAMPAIGN_ADMIN", "DKV_COCKPIT_TOLL_CONFIG", "DKV_DEVELOPER", "DKV_COCKPIT_INV_ADMIN", "DKV_COCKPIT_CARDS_CONFIG", "DKV_COCKPIT_ADMINISTRATION_CONFIG", "DKV_EMPLOYEE", "DKV_PARTNERS_ADMIN", "DKV_WIT_CAMPAIGN", "DKV_COCKPIT_INVOICE_EINVOICE", "DKV_COCKPIT_INVOICE_VIEW", "DKV_CUSTOMER_GLOBAL", "DKV_COCKPIT_CARDS_VIEW", "DKV_COCKPIT_ADMINISTRATION_VIEW" ] } }, "scope": "dkvcard" } ``` ## Data Consumption TODO ## Testing instructions Prerequisite: * Client for performing OAuth2 authentication is installed or present, e. g. Postman (https://www.postman.com/downloads/) or OIDC Debugger (https://github.com/rcbj/oauth2-oidc-debugger) Open up OAuth2 client and use the following information depending in the verification stage: **DEV** Authorization endpoint: https://your-dev.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/auth Token endpoint: https://your-dev.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/token Client ID: zahlz-backend Client secret: 56ccf620-8953-483c-8050-8fc58dc5ab82 Redirect URL: http://localhost:3000/callback Scope: openid profile User User: test@dkv-euroservice.com / test **TEST** Authorization endpoint: https://your-test.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/auth Token endpoint: https://your-test.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/token Client ID: zahlz-client Client secret: 4f09e20e-8d46-4e9e-8018-8050ddbfa6f2 Redirect URL: http://localhost:3000/callback Scope: openid profile User User: test@dkv-euroservice.com / test **PREPROD (yet to be implemented)** Authorization endpoint: https://your-preprod.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/auth Token endpoint: https://your-preprod.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/token Client ID: zahlz-client Client secret: 6c87e4d6-ea3b-4fc3-8abe-ee310451b329 Redirect URL: https://beta.zahlz.com/dkv/auth/callback Scope: openid profile User User: test@dkv-euroservice.com / test **PROD (yet to be implemented)** Authorization endpoint: https://your.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/auth Token endpoint: https://your.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/token Client ID: zahlz-client Client secret: N/A Redirect URL: TBD Scope: openid profile User User: (Prod Testuser) Continue by clicking "Authorize", this will result in the following cURL equivalent being sent: ``` GET https://your-test.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/auth? state=01a733b2-fa58-4c05-a789-1ab7f2737d97& response_type=code& client_id=zahlz-client& redirect_uri=http://localhost:3000/callback& scope=openid profile User ``` Scroll down and click "Get token", resulting in the following cURL equivalent being sent: ``` POST https://your-test.dkv-euroservice.com/auth/realms/dkv/protocol/openid-connect/token Message Body: grant_type=authorization_code& code=<AUTH_CODE>& client_id=zahlz-client& redirect_uri=http://localhost:3000/callback& scope=openid profile User ``` Verify the token structure as something like ``` "jti": "045d6923-0be5-4acf-8849-8824c9693530", "exp": 1589296421, "nbf": 0, "iat": 1589296121, "iss": "https://your-test.dkv-euroservice.com/auth/realms/dkv", "aud": "zahlz-client", "sub": "f:13a76da3-d23f-4204-864f-5c5c39493eb7:10560", "typ": "Bearer", "azp": "zahlz-client", "nonce": "32725e0b-cd92-43ea-aa4d-5893610cc45a", "auth_time": 1589295953, "session_state": "39d5fd47-4cfe-4cf9-a2ab-9cbdfc5dd653", "acr": "0", "allowed-origins": [], "resource_access": { "zahlz-client": { "roles": [ "DKV_TEAM_FUEL", "DKV_EREPORTING_PREMIUM", "DKV_TRANSLATION_MANAGER_ADMIN", "DKV_WS_POOL_PRICES_SOURCE", "DKV_COCKPIT_ESERVICES_VIEW", "DKV_COCKPIT_REFUND_VIEW", "DKV_COCKPIT_ADMIN", "DKV_WS_POOL_UNPUBLISHED_DATA", "DKV_ESERVICES_ADMIN", "DKV_COCKPIT_INVOICE_CONFIG", "DKV_COCKPIT_TOLL_VIEW", "DKV_EMOBILITY", "DKV_WS_POOL_PRICES", "DKV_TISPL_TICKET_ADMIN", "DKV_EREPORTING_ADMIN", "DKV_TEAM_ESERVICES_POI", "DKV_CUSTOMER_MULTI_USER_SELECT", "DKV_EREPORTING", "DKV_TRANSLATION_MANAGER_ADVANCED", "DKV_COCKPIT_ESERVICES_CONFIG", "DKV_WEB_ADMIN", "DKV_COCKPIT_TOLL_ADMIN", "DKV_WS_POOL", "DKV_COCKPIT_CUSTOMER_LIMIT_CONFIG", "DKV_TRANSLATION_MANAGER", "DKV_WIT_CAMPAIGN_ADMIN", "DKV_COCKPIT_TOLL_CONFIG", "DKV_DEVELOPER", "DKV_COCKPIT_INV_ADMIN", "DKV_COCKPIT_CARDS_CONFIG", "DKV_COCKPIT_ADMINISTRATION_CONFIG", "DKV_EMPLOYEE", "DKV_PARTNERS_ADMIN", "DKV_WIT_CAMPAIGN", "DKV_COCKPIT_INVOICE_EINVOICE", "DKV_COCKPIT_INVOICE_VIEW", "DKV_CUSTOMER_GLOBAL", "DKV_COCKPIT_CARDS_VIEW", "DKV_COCKPIT_ADMINISTRATION_VIEW" ] } }, "scope": "dkvcard" } ``` You can copy the token and paste it to https://jwt.io/#debugger-io for decoding and inspection. You are now authenticated and ready to continue calling backend services. Come back time and again, navigate to the "Refresh Token" section and exchange refresh token for new access token. ### Backend Calls TODO