Configuring YSoft SafeQ Client v3 and YSoft SafeQ Job Service with external OIDC provider

About

YSoft SafeQ Job Service provides an integrated OIDC provider which is used by default for authentication by the YSoft SafeQ Client v3 in client modes. This provides an OIDC flow with the users that are managed in the YSoft SafeQ Management interface. You can however choose a different identity provider instead of the one built into YSoft SafeQ Job Service.

Setting up the OIDC integration

To enable the integration, you must:

  • Configure the OIDC client in your external identity provider

  • Configure the Job Service to validate credentials with external identity provider

  • Configure the Client v3 in Server mode to validate credentials with external identity provider

Configure the OIDC client in your external identity provider

The configuration interface varies in every identity provider but the following properties must be set for the client to work.

Configuration

Value

Client ID

ysoft-safeq-client

Redirect URIs

http://localhost:3050/callback

  • this might vary based on whether you changed UserInterfacePort settings in Job Service

web origins

* (or allow all)

Flow

Authorization Code Flow with PKCE

Refresh tokens

enabled

Scopes

  • profile

  • jobs:read

  • jobs:delete

  • queues:read

  • jobs:create

  • offline_access

Claims

username - this must be the username that is used by YSoft SafeQ. This claim is not standard and must be added to the token by the identity provider.

Audience

ysoft-safeq

Configure the Job Service to validate credentials with external identity provider

Job Service needs to be configured via the local.json configuration file. The following configuration block needs to be added.

Job Service local.json
"AuthorityOptions": {
"Authority": "https://sso.company.net/auth/realms/realmName",
"Audience": "ysoft-safeq"
}

Authority is the address of your identity provider.

  • For Keycloak, use this pattern: https://<keycloak-url>/auth/realms/<realm-name>

Audience must have the value configured as audience when creating the client in your identity provider.

After adding the configuration restart of the component is required.

Configure the Client v3 in Server mode to validate credentials with external identity provider

Same as Job Service the Client v3 needs additional configuration via its local.json configuration file. The following configuration block needs to be added.

Client v3 local.json
"AuthorityOptions": {
"Authority": "https://sso.company.net/auth/realms/realmName",
"Audience": "ysoft-safeq"
}

Authority is the address of your identity provider.

  • For Keycloak, use this pattern: https://<keycloak-url>/auth/realms/<realm-name>

Audience must have the value configured as audience when creating the client in your identity provider.

After adding the configuration restart of the component is required.