sunbird-lms-service will directly fetch SSO_PUBLICKEY from KeyCloakServer and use it for authetication and other purpose

Owned by Mayank Morya
Last updated: Sept 20, 2018

Problem Statement

The Current problem with Sunbird is any one who is trying to install Sunbird server have to get sunbird_sso_publickey manually from keycloak server and put it to config file of sunbird server installation after completion of step 1 of server installation. So sunbird-lms-server reads it from environment properties when it starts and use it. This create human dependency and increases chances of error or inconvenience.

Proposed Solution

After completion of server installation , sunbird-lms-service will directly fetch the sunbird_sso_publickey value from Keycloak instance on start by using http request / using Keycloak Admin REST Client. So step1 & step 2 will be merged for server installation and sunbird-lms-service will keep it in memory and use it when ever it is required.


By using http call server-url/auth/realms/{realm-name}/protocol/openid-connect/certs we can get only RSA public keys, not HMAC keys. HMAC keys can be fetched by using access token details but we are only using RSA keys.


Response Body :                     

                             {

                              "keys": [ { "kid" :  "Y0YN8HiP3nlCQC77uSUjGtx-seMvzRxyrCRGIhmzfsw",

                                              "kty" : "RSA",

                                              "alg" : "RS256",

                                             "use" : "sig",

                                              "n" : "kqIh4jUuDk6PSQ4KsVCON6AUC9tzODPcUJhlz5KuUumwPb3Qva0TDECGGN6d8OYONlFa-fLXzBKRXWlBxIIlP65WLhFRSiIeThKxT_BcXm6CAnTCAMPMu5Cecuw--      E3xLxwvWQdxgwqgxpX46kBYacLVuHoPikvb7V3DjbRxQwfgf4z3VbXOaaoKx3Hzj0uRhDe7V91BChvIihR5Vnrzl9xA6lPC7X-Vzp6uazDmwns6zNIHHsNozHIHDOQ6HTbzOZwjsCtQmbkTGHfPV75cmkjWesgs56hl5vU--utd6Cngg2E2TPuEjmdXqymAXYCFmEDS-m6sR4Y9w48X5MV-nw",                                     

                                             "e" : "AQAB"  }  ]

                         }View changes



       


Using “kid”,”n” and “e” we can generate public RSA certificate which is sufficient enough to generate required data.

But we don’t need to generate public RSA key as we are decoding it again in KeyCloakServiceImpl.java in sunbird-utils, so if we implement this we can reduce the code also.




PROSCONS
1. No requirement for any human effort to get sunbird_sso_publickey from Keycloak server.

2.It will decrease the error probability while sunbird server installation.


3. No need to decode the sunbird_sso_publicKey.




Code Changes:

We have to create Class which will implement the above concept and will fetch the required  SSO_PUBLIC_KEY value and we also have to remove method named “toPublicKey” in KeyCloakServiceImpl.java (sunbird-utils of sunbird-lms-service).

Further we have do some relevant changes in AutheticationHelper.java as it have used the same SSO_PUBLIC_KEY value.