OIDC from separate frontend application support

[Matthbo]

Related Problem or Business Case

We are running 2 franks: one serving an angular application as webcontent and one acting as the API backend.

The angular application uses the "angular-oauth2-oidc" & "angular-oauth2-oidc-jwks" dependencies to let the user login to keycloak and retrieve the authorisation token. This token used in the Authorization header send with every request to the ApiListeners in the backend frank.

Currently the ApiListenerServlet doesn't use the Authorization header and wants to redirect the request to the keycloak login page.

Describe the Feature

Add support for finishing the OIDC flow so the Authorization token is used to validate user logged into the frontend and be able to check the userinfo for roles and groups and other user information that can be used for authorisation and audit logging

Collaboration with External Companies

No, community resolution only

Anything else?

Angular OIDC config:

{
  "rootUrl": "http://localhost:8079/api",
  "authType": "oauth2",
  "auth.authenticationMethod": "AUTHORIZATION_CODE_PKCE",
  "auth.issuer": "http://keycloak.localtest.me:9080/realms/<realm>",
  "auth.clientId": "<clientId>",
  "auth.scope": "openid profile roles groups",
  "auth.requireHttps": false
}

Backend frank auth properties I tested with:

servlet.ApiListenerServlet.authenticator=OAUTH2_JWT
servlet.ApiListenerServlet.securityRoles=openid # for testing

application.security.http.authenticators=OAUTH2_JWT
application.security.http.authenticators.OAUTH2_JWT.type=OAUTH2
application.security.http.authenticators.OAUTH2_JWT.provider=custom
application.security.http.authenticators.OAUTH2_JWT.scopes= basic,email,profile,roles,groups
application.security.http.authenticators.OAUTH2_JWT.issuerUri= http://keycloak.localtest.me:9080/realms/<realm>
application.security.http.authenticators.OAUTH2_JWT.authorizationUri= http://keycloak.localtest.me:9080/realms/<realm>/protocol/openid-connect/auth
application.security.http.authenticators.OAUTH2_JWT.tokenUri= http://keycloak.localtest.me:9080/realms/<realm>/protocol/openid-connect/token
application.security.http.authenticators.OAUTH2_JWT.jwkSetUri= http://keycloak.localtest.me:9080/realms/<realm>/protocol/openid-connect/certs
application.security.http.authenticators.OAUTH2_JWT.clientId= <clientId>
application.security.http.authenticators.OAUTH2_JWT.clientSecret= <secret>
application.security.http.authenticators.OAUTH2_JWT.authoritiesClaimName= realm_access.roles

Userinfo endpoint provided example

{
  "sub":"",
  "preferred_username":"",
  "name":"",
  "isc":"",
  "email": "",
  "phone_number":"",
  "email_verified":"",
  "phone_number_verified":"",
  "LDAP_groepen":"xxx, xxxx"
}