How to integrate Artifactory with OpenID Connect OAuth 2.0 ?

Nimer Bsoul
2019-08-07 05:43

Subject

From version 4.2, Artifactory is integrated with OAuth allowing you to delegate authentication requests to external providers and let users login to Artifactory using their accounts with those providers.
Currently, the provider types supported are Google, OpenID Connect, GitHub Enterprise, and Cloud Foundry UAA. You may define as many providers of each type as you need.

For this step by step guide to setup OpenID Connect OAuth 2.0 integration with Artifactory we will use the open source project MITREid Connect which contains a certified OpenID Connect reference implementation in Java on the Spring platform, including a functioning server library, deployable server package, client (RP) library, and general utility libraries. The server can be used as an OpenID Connect Identity Provider as well as a general-purpose OAuth 2.0 Authorization Server.

Details

The first step is to build the project locally and have a working OpenID Connect:

Git Checkout and Initialization
Check out the project using a normal Git clone command:
$ git clone https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server.git

Common Maven Options that can be used
To skip unit tests, add this option:
$ mvn -DskipTests package

To skip JavaDoc generation:
$ mvn -Dmaven.javadoc.skip=true package

To configure an http and https proxy, add this option (especially because it seems that Maven on Linux doesn't always read the settings.xml file):

$ mvn -Dhttp.proxyHost=proxy -Dhttp.proxyPort=80 -Dhttps.proxyHost=proxy -Dhttps.proxyPort=80 package

Deploying with Jetty
The server webapp can be deployed using an embedded Jetty instance inside of Maven.
To deploy to Jetty, first install the application to your local Maven repository by running this from the parent project directory:

$ mvn clean install

To run the embedded Jetty server and deploy the server webapp, run the following command from the openid-connect-server-webapp directory (***Important: do not run this command from the parent project directory).

$ mvn jetty:run-war

This will deploy the server to http://localhost:8080/openid-connect-server-webapp/. 
You can login with username: user and password: password.

Deploying with Tomcat
The server webapp has been tested with Tomcat 6 and Tomcat 7. 
To deploy the server to Tomcat (or a similar servlet container), copy the generated .war file to the appropriate Tomcat webapps directory, such as:

cp openid-connect-server-webapp/target/openid-connect-server.war /var/lib/tomcat6/webapps

The second step after we verify that OpenID Connect webapp is up and running, is to navigate to Home / Self-service Client Registration and click on New Client to add Artifactory.

Fill out the client (Artifactory) configuration and click Save. It’s very important to save the generated information such as (Will be later used in Artifactory): 


 

Configuring OAuth with OpenID Connect in Artifactory

To access OAuth integration settings, in the Admin module, select Security | OAuth SSO.

OAuth SSO Configuration

Add OpenID Connect as New Provider

 

To add a new provider, click "New". Artifactory displays a dialog letting you enter the provider details.

The OpenID Connect supports the following endpoints that need to be used by Artifactory:

  • Auth URL: http://localhost:8080/openid-connect-server-webapp/authorize

  • Token URL: http://localhost:8080/openid-connect-server-webapp/token

  • API URL: http://localhost:8080/openid-connect-server-webapp/userinfo

 

Example of the setup in Artifactory:

Click Save and start using the integration between Artifactory and OAuth 2.0 OpenID Connect.