ARLAS-wui security
This page describes how to configure ARLAS-wui in order to add an access control to the application.
Authentication
Arlas-wui is compliant with an identity service provider (like https://auth0.com/) which respects an OAuth 2.0 PKCE : RFC 7636: Proof Key for Code Exchange protocol.
To configure the application you need to set some parameters in the settings.yaml file.
Below is an example of a working configuration with an Auth0 service. The configuration must be adapted according to the identity service provider.
| Auhtentication property | Definition | Working value |
|---|---|---|
| authentication.use_authent | Defines whether to be authenticated to Identity | true |
| authentication.force_connect | When authentication is enabled, this option forces to be connected to Identity Provider at application bootstrap | true |
| authentication.use_discovery | Defines whether we use Identity Provider document discovery service | true |
| authentication.scope | The requested scopes | openid profile |
| authentication.require_https | Defines whether https is required | true |
| authentication.response_type | Response type values | code token id_token |
| authentication.silent_refresh_timeout | Timeout for silent refresh | 10000 |
| authentication.timeout_factor | Defines when the token_timeout event should be raised. If you set this to the default value 0.75, the event is triggered after 75% of the token's life time. | 0.75 |
| authentication.session_checks_enabled | If true, the app will try to check whether the user is still logged in on a regular basis as described | false |
| authentication.clear_hash_after_login | Defines whether to clear the hash fragment in url after logging in | true |
| authentication.disable_at_hash_check | This property has been introduced to disable at_hash checks and is indented for Identity Provider that does not deliver an at_hash EVEN THOUGH its recommended by the OIDC specs. | false |
| authentication.show_debug_information | Defines whether to display debug log in browser console | false |
| authentication.storage | Defines the kind of storage : localstorage or sessionstorage | sessionstorage |
| authentication.issuer | The issuer's uri | CHANGE_ME |
| authentication.client_id | The client's id as registered with the identity provider server | CHANGE_ME |