JobRunr Pro Enterprise

Single Sign On Authentication

JobRunr Pro's dashboard integrates seamlessly with OpenID

JobRunr Pro Enterprise comes with out-of-the-box Single Sign On (SSO) support and adds the possibility to protect the dashboard from prying eyes. Using the OpenId Connect Integration, you can decide which users have access and has support for multiple roles (readOnly, allowAll, …).

Please consult our Secure your JobRunr Dashboard with your OpenID Provider guide to get started with JobRunr Pro and your OpenID provider of choice.

Configuration

The following settings can be used to configure JobRunr:

  • Configuration URL—the OpenID configuration URL; e.g. http://localhost:8080/realms/master/.well-known/openid-configuration
  • Client ID—the clientId that is configured in your OpenID Authorization server
  • Client Secret—the client secret that is configured in your OpenID Authorization server
  • Scope—the optional scope; if null the default "openid email profile" will be used
  • Accepted Audience—the optional JWT audience claim passed into the OID provider (being mapped to a Set<String> there can be multiple audiences provided)

In addition of the JobRunr configuration settings, be sure to configure your OpenID provider to redirect back to the JobRunr Pro dashboard after loging in (see below).

Using a framework

Add properties to your framework configuration:

jobrunr.dashboard.enabled=true
jobrunr.dashboard.openid-authentication.openid-configuration-url="your-well-known-openid-configuration-url"
jobrunr.dashboard.openid-authentication.client-id="client-id"
jobrunr.dashboard.openid-authentication.client-secret="client-secret"
jobrunr.dashboard.openid-authentication.scope="scope"
jobrunr.dashboard.openid-authentication.accepted-audience="my-app"

Using the Fluent API

Inject an instance of a configured OpenIdConnectSettings object into the dashboard configuration:

OpenIdConnectSettings openIdConnectSettings = new OpenIdConnectSettings(
    "your-well-known-openid-configuration-url",
    "client-id",
    "client-secret",
    "scope",
    Set.of("acceptedAudience")
);

JobRunrPro
        .configure()
        // ...
        .useDashboard(usingStandardDashboardConfiguration()
            // ...
            .andAuthentication(new OpenIdConnectAuthenticationProvider(openIdConnectSettings))
        )

OpenID Connect endpoints

JobRunr Pro exposes a callback URI for OpenID to redirect to: /oidc/auth_callback. Set the redirect URI in your OpenID provider to this endpoint to return to the JobRunr dashboard after a successful login.

In addition, you an logout by visiting /oidc/logout. This will logout the user and revoke any active tokens by redirecting to the logout endpoint of the OpenID provider based on the OpenID configuration-url.

Mapping claims to JobRunr authorization rules

By default, JobRunr gives authenticated users the rights to perform any available action on the dashboard. They can view jobs and server statuses, as well as trigger or delete jobs, and pause, or resume servers. You can restrict specific user actions (e.g. only viewing, not deleting, …) by mapping claims to JobRunr-specific roles.

See the OpenID Authentication guide on how to implement a custom JobRunrUserProvider to realize these restrictions.