Skip to content

OpenConext/OpenConext-Invite

Folders and files

NameName
Last commit message
Last commit date

Latest commit

8e80698 · Feb 11, 2025
Feb 6, 2025
Feb 11, 2025
Feb 4, 2025
Feb 11, 2025
Feb 11, 2025
Feb 11, 2025
Oct 28, 2024
Sep 13, 2024
Oct 3, 2023
Oct 3, 2023
Jan 14, 2025
May 9, 2023
Oct 25, 2024
Oct 3, 2023
Feb 11, 2025
Oct 3, 2023

Repository files navigation

Openconext-Invite

Build Status Coverage Branches

  • Java 21
  • Maven 3

First install Java 21 with a package manager and then export the correct the JAVA_HOME. For example on macOS:

export JAVA_HOME=/Library/Java/JavaVirtualMachines/openjdk-21.jdk/Contents/Home/

Then create the MySQL database:

DROP DATABASE IF EXISTS invite;
CREATE DATABASE invite CHARACTER SET utf8mb4 COLLATE utf8mb4_0900_ai_ci;
CREATE USER 'invite'@'localhost' IDENTIFIED BY 'secret';
GRANT ALL privileges ON `invite`.* TO 'invite'@'localhost';

This project uses Spring Boot and Maven. To run locally, type:

mvn spring-boot:run

To build and deploy (the latter requires credentials in your maven settings):

mvn clean deploy

In the default application.properties the mail host is localhost and the port is 1025. Run mailpit to capture mails. See https://github.com/axllent/mailpit

https://invite.test.surfconext.nl/ui/swagger-ui/index.html

https://mock.test.surfconext.nl/

https://welcome.test.surfconext.nl/

https://invite.test.surfconext.nl/

If you want to use the mock-provisioning, add the following metadata in Manage.

SCIM:

"provisioning_type": "scim",
"scim_url": "https://mock.test.surfconext.nl/api/scim/v2",
"scim_user": "user",
"scim_password": "secret",
"scim_update_role_put_method": true

eVA

"provisioning_type": "eva",
"eva_token": "secret",
"eva_guest_account_duration": 30
"eva_url": "https://mock.test.surfconext.nl/eva",

Graph

"provisioning_type": "graph",
"graph_url": "https://mock.test.surfconext.nl/graph/users",
"graph_client_id" : "client_id",
"graph_domain" : "hartingcollege.onmicrosoft.com",
"graph_secret" : "secret",
"graph_tenant": "tenant"

Login with Mujina IdP and user admin to become super-user in the local environment

http://localhost:8888/ui/swagger-ui/index.html

http://localhost:8081/

http://localhost:4000

http://localhost:3000

To become an institution admin in invite, add the following values as eduPersonEntitlements using Mujina:

  • urn:mace:surfnet.nl:surfnet.nl:sab:organizationGUID:ad93daef-0911-e511-80d0-005056956c1a
  • urn:mace:surfnet.nl:surfnet.nl:sab:role:SURFconextverantwoordelijke

https://openconext.github.io/OpenConext-Invite/

Security

There are several security filters in Invite:

  • OAuth2 login where the user logs in with OpenIDConnect. Invite is acting as a backend server and cookies are used to identify the user in the security context.
  • Access token login where the user has logged in with OpenIDConnect and the client obtained an access token. Invite is acting as a resource server. The API is stateless and for now no token introspects are cached.
  • Basic Authentication for voot, teams, aa, profile, deprovision and sp_dashboard endpoints. The API is stateless and the API users are stored in memory. Endpoints are also secured by scope.
  • API token header (X-API-TOKEN) generated for institutional_admins (or super_users) in the GUI. The user stored in the security context is the first user with the same organisational GUID (or super_user) as the user who has generated the token.

Provisioning Secrets

The secrets (passwords / API-keys) used in provisionings are encrypted in OpenConext-Manage using keypairs.

Create private / public keypair

openssl genrsa -traditional -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem

Convert private key to pkcs8 format in order to import it from Java

openssl pkcs8 -topk8 -in private_key.pem -inform pem -out private_key_pkcs8.pem -outform pem -nocrypt