Versions Compared

Old Version 2

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Chieko Sugizaki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2024.2

...

Anchor
OIDCServerConfig
OIDCServerConfig
OIDC Server Configuration

  1. If you have not already done so, register DTP with your OpenID Connect identity provider.
    • issuerUri
    • clientId
    • clientSecret
  2. Register the necessary redirect URIs so that the OIDC server knows where to send the user after authentication. The following redirect URIs that should be registered:

    Required

    • http(s)://<DTP_HOST><HOST>:<PORT>/pst/login/oauth2/code/dtp
    • http(s)://<DTP_HOST><HOST>:<PORT>/pstsec/login/oauth2/code/dtp (User Administration)
    • http(s)://<DTP_HOST><HOST>:<PORT>/grs/login/oauth2/code/dtp (Required for Report Center/Enterprise Pack)

    Optional . The (The following redirect URIs are optional and only need to be registered to enable log in directly through individual applications:.)

    • http(s)://<DTP_HOST><HOST>:<PORT>/licenseserver/login/oauth2/code/dtp (License Server)
    • http(s)://<DATA_COLLECTOR_URL>/login/oauth2/code/dtp (Data Collector)

...

Open the oidc.json file located in the <DTP_DATA_DIR>/conf directory to configure the OIDC provider properties used by DTPby DTP. 

Code Block
languagejs
titleDefault contents of the oidc.json file
{
"enabled": false,
"issuerUri": "your issuer uri",
"clientId": "your client id",
"clientSecret": "your client secret",
"scopes": ["openid", "profile", "email"],
"claimMappings":
	{ 
		"username": "preferred_username", 
		"firstName": "given_name", 
		"lastName": "family_name", 
		"email": "email" 
	},
"adminUsers": []
}

 The oidc.json file should be configured prior to the admin users logging in for the first time, otherwise the users will be added to the database without the permissions necessary for performing administrative functions. 

...

  • DTP UI will still enforce OIDC authentication
  • DTP REST API will accept both OIDC and basic authentication
    • Automation users will call DTP REST API using basic authentication

Enabling Client Credentials Flow

To enable client credentials flow, for example for inbound connections from Parasoft CTP, add the following clientCredentials element after adminUsers element to the oidc.json file:

Code Block
"clientCredentials": {
        "enabled" : true,
        "clientId" : "client id",
        "clientSecret" : "client secret",
        "scopes" : ["openid"],
        "claimMappings" : {
            "username": "preferred_username",
        }
}

The client credentials flow gets a JWT access token from the OAuth server to use for authentication. Specify which claim within the token will be used as the username and, if necessary, add a corresponding user to DTP so that username matches a valid DTP user. Depending on the OAuth server (for example, with Keycloak or EntraId) the claims for the access token are configurable. If you are not sure what claims your token has, it may be possible to request the token using a curl command as shown below and then inspect the token content to find out.

Code Block
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET \

Example Configurations

The following examples are intended to help you understand how to connect DTP to your identity access management system. Refer to the documentation for your software for implementation details.

...