Configuration#
This document outlines the configuration process for Gluu Flex Admin UI, with a focus on essential components stored in the Auth Server's persistence layer. These components include role-permission mapping, OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata.
Configuration Components#
Role-Permission Mapping#
Role-permission mapping defines which administrative roles are granted specific permissions within the Gluu Flex Admin UI. This mapping ensures that administrators can only access and modify functionalities relevant to their roles.
The mapping is stored in json format with following attributes.
Roles
| Attribute Name | Description |
|---|---|
| roles | Array of all roles |
| role | Role name |
| description | Role description |
| deletable | If set to true then entire role-permission mapping with respect to the role can be deleted. Default value: false |
Permissions
| Attribute Name | Description |
|---|---|
| permissions | Array of all available permissions |
| permission | Permission name |
| description | Permission description |
| defaultPermissionInToken | If set to true, it indicates that permission will need authentication and valid role during /token request to include in token |
Mapping
| Attribute Name | Description |
|---|---|
| rolePermissionMapping | List of all role-permission mapping |
| role | Role name |
| permission | Array of all permission mapped to the role |
Sample role-permission mapping stored in persistence
{
"roles": [
{
"role": "sample-role",
"description": "role description",
"deletable": false
}
],
"permissions": [
{
"permission": "sample-permission1",
"description": "permission1 description",
"defaultPermissionInToken": false
},
{
"permission": "sample-permission2",
"description": "permission2 description",
"defaultPermissionInToken": true
}
],
"rolePermissionMapping": [
{
"role": "sample-role",
"permissions": [
"sample-permission1",
"sample-permission2"
]
}
]
}
OIDC Client Details for Auth Server#
To establish secure communication with the Auth Server, Gluu Flex Admin UI requires the OIDC client details, including client ID and client secret. These details are used for authentication and authorization purposes.
The information is stored in json format with following attributes.
| Attribute Name | Description |
|---|---|
| authServerClient | Object with Auth Server client details |
| opHost | Auth Server hostname |
| clientId | Client Id of OIDC client used to access Auth server |
| clientSecret | Client Secret of OIDC client used to access Auth server |
| scopes | Scopes required for Admin UI authentication |
| acrValues | ACR required for Admin UI authentication |
| redirectUri | Redirect UI which is Admin UI home page |
| postLogoutUri | Url to be redirected after Admin UI logout |
| frontchannelLogoutUri | Front channel Logout Uri |
OIDC Client Details for Token Server#
Similarly, Gluu Flex Admin UI needs OIDC client details to interact with the Token Server. This enables the UI to request and manage access tokens required to access Jans Config API protected resources.
The information is stored in json format with following attributes.
| Attribute Name | Description |
|---|---|
| tokenServerClient | Object with Token Server client details |
| opHost | Token Server hostname |
| clientId | Client Id of OIDC client used to access Token server |
| clientSecret | Client Secret of OIDC client used to access Token server |
| tokenEndpoint | Token endpoint of token server |
OIDC Client Details for License Server#
Access to the License APIs is managed through OIDC client details. These details allows the Gluu Flex Admin UI Backend to generated access token to allow the retrieval of license-related information using license APIs.
The information is stored in json format with following attributes.
| Attribute Name | Description |
|---|---|
| opHost | Auth Server hostname used to generate token to access License APIs |
| clientId | Client Id of OIDC client used to generate token to access License APIs |
| clientSecret | Client Secret of OIDC client used to generate token to access License APIs |
License Metadata#
License metadata includes relevant information about the Gluu Flex Admin UI's licensing, such as License Key, Hardware id, License server url, License Auth server url, SSA used to register license auth server client.
The information is stored in json format with following attributes.
| Attribute Name | Description |
|---|---|
| licenseConfig | Object with License configuration details |
| ssa | SSA used to register OIDC client to access license APIs |
| scanLicenseApiHostname | SCAN License server hostname |
| licenseHardwareKey | Hardware key (org_id) to access license APIs |
Sample configuration stored in persistence
{
"oidcConfig": {
"authServerClient": {
"redirectUri": "https://your.host.com/admin",
"postLogoutUri": "https://your.gost.com/admin",
"frontchannelLogoutUri": "https://your.host.com/admin/logout",
"scopes": [
"openid",
"profile",
"user_name",
"email"
],
"acrValues": [
"basic"
],
"opHost": "https://your.host.com",
"clientId": "2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568",
"clientSecret": "GGO4t1uixrTpl4Rizt3zag=="
},
"tokenServerClient": {
"tokenEndpoint": "https://your.host.com/jans-auth/restv1/token",
"scopes": [
"openid",
"profile",
"user_name",
"email"
],
"opHost": "https://your.host.com",
"clientId": "2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568",
"clientSecret": "GGO4t1uixrTpl4Rizt3zag=="
}
},
"licenseConfig": {
"ssa": "...ssa in jwt format...",
"scanLicenseApiHostname": "https://cloud-dev.gluu.cloud",
"licenseKey": "XXXX-XXXX-XXXX-XXXX",
"licenseHardwareKey": "github:ghUsername",
"oidcClient": {
"opHost": "https://account-dev.gluu.cloud",
"clientId": "36a43e2b-a77b-4e9c-a966-a9d98af1665c",
"clientSecret": "211188d8-a2d8-4562-ab53-80907c1bb5ba"
}
}
}
Created: 2023-08-28