External Security Configuration

Drillbridge supports external user authentication with LDAP, Microsoft Active Directory (MSAD), and OAuth2.

LDAP

Add the following properties to your Drillbridge configuration file:

dtb.ldap.enabled=true
dtb.ldap.type=ldap
dtb.ldap.name=Example LDAP Provider
dtb.ldap.url=ldap://ldap.example.com:636
dtb.ldap.base=dc=example,dc=com
dtb.ldap.user-dn-pattern=uid={0},ou=Users
dtb.ldap.user-dn=
dtb.ldap.password=
dtb.ldap.pooled=false
dtb.ldap.authentication-strategy=none or truststore

Microsoft Active Directory

Add the following properties to your Drillbridge configuration file:

dtb.ldap.enabled=true
dtb.ldap.type=msad
dtb.ldap.name=Example Active Directory
dtb.ldap.domain=example.com
dtb.ldap.url=ldap://ad.example.com:389
dtb.ldap.base=
dtb.ldap.user-dn=
dtb.ldap.password=
dtb.ldap.pooled=false
dtb.ldap.authentication-strategy=none

Create the Oracle OAuth Application

The user interface for Oracle IDCS (and later systems) may vary but the general steps are the same. First, create a "Confidential Application". Give your application a name such as "Drillbridge". The Oracle web interface will create a new application that has a Client ID and a Client Secret.

For the Client Configuration, you must select Client Credentials, Refresh Token, and Authorization Code. Turn on the Allow non-HTTPS URLs only if you need to (e.g. if you have not configured Drillbridge to use HTTPS), otherwise leave it off.

Specify a Redirect URL. This value will be a full URL including the protocol, server name, and an additional path such as http://localhost:9220/login/oauth2/code/oracle. For the Post Logout Redirect URL specify the address to the Drillbridge server, such as http://localhost:9220.

Under Token Issuance Policy, add a Specific authorized resource that points to your Planning servers.

Turn on Access Signing Certificate: Navigate to IDCS → Settings → Default Settings and enable the Access Signing Certificate setting. Additional info at https://stackoverflow.com/questions/61241860/spring-boot-oauth2-and-oracle-idcs-jwk-set-uri-responds-with-401-unauthorized

Configure an Oracle OAuth Provider

Drillbridge provides enhanced support for configuring Oracle identity servers as authorization providers. For Oracle providers, only six properties need to be added to the Drillbridge configuration. An example is as follows:

dtb.security.providers[0].name=Oracle IDCS
dtb.security.providers[0].tenant=52ababaade214afaa94fdcb7ced3d7e3
dtb.security.providers[0].registration-id=oracle
dtb.security.providers[0].type=oracle
dtb.security.providers[0].client-id=3afd5edb786348bc926959032aa556cd
dtb.security.providers[0].client-secret=ed13d3c0-eb24-4196-bf25-cf5dd1a5a940

Security providers are configured with numerical indexes, starting with 0. Additional security providers can be added by copying the configuration and changing all occurrences of 0 to 1 (or whatever the next index is).

The key values are as follows:

name: The "nice" name to give to the provider. For example, this will be shown on the Drillbridge login page
tenant: The Oracle tenant ID (this is the same value as on your "IDCS" URL)
registration-id: The unique ID to give this provider within Drillbridge. This should be unique for each provider
type: The type will always be oracle when using the simplified Oracle provider configuration
client-id: The client ID from the application you created to serve as the Drillbridge authorization server
client-secret: The secret that was assigned when you created the app

Configure Drillbridge to use a Generic OAuth Provider

Edit your Drillbridge application.properties file and add/uncomment a new section:

spring.security.oauth2.client.registration.oracle.client-id=
spring.security.oauth2.client.registration.oracle.client-secret=
spring.security.oauth2.client.registration.oracle.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.oracle.redirect-uri=
spring.security.oauth2.client.registration.oracle.scope[]=openid, email
spring.security.oauth2.client.registration.oracle.client-name=Oracle
spring.security.oauth2.client.registration.oracle.provider=oracle

spring.security.oauth2.client.provider.oracle.authorization-uri=
spring.security.oauth2.client.provider.oracle.token-uri=
spring.security.oauth2.client.provider.oracle.user-info-uri=
spring.security.oauth2.client.provider.oracle.jwk-set-uri=
spring.security.oauth2.client.provider.oracle.user-name-attribute=

client-id: The client ID that was assigned when creating the new Oracle authorization application
client-secret: The secret that was generated when creating the new application
authorization-grant-type: Always set to authorization_code
redirect-uri: Set to the redirect URL you set in your Oracle app, such as http://localhost:9220/login/oauth2/code/oracle
scope: Leave set to openid, email
client-name: Leave set to Oracle
provider: Leave as oracle
authorization-uri: https://idcs-TENANT.identity.oraclecloud.com/oauth2/v1/authorize
token-uri: https://idcs-TENANT.identity.oraclecloud.com/oauth2/v1/token
user-info-uri: https://idcs-TENANT.identity.oraclecloud.com/oauth2/v1/userinfo
jwk-set-uri: https://idcs-TENANT.identity.oraclecloud.com/admin/v1/SigningCert/jwk
user-name-attribute: sub

Example Configuration Values For Oracle

The following are examples of configuration values that would be used for an Oracle security configuration:

Redirect URI: The redirect URI can use the special {baseUrl} and {registrationId} variables to make formulating the URI easier, such as {baseUrl}/login/oauth2/code/{registrationId}. Otherwise, a fully defined URI may be like the following: http://localhost:9220/login/oauth2/code/oracle
Authorization URI: https://idcs-TENANT.identity.oraclecloud.com/oauth2/v1/authorize
Token URI: https://idcs-TENANT.identity.oraclecloud.com/oauth2/v1/token
JWK Set URI: https://idcs-TENANT.identity.oraclecloud.com/admin/v1/SigningCert/jwk

Troubleshooting

Enable Trace Level Logging

If additional logging is needed to troubleshoot security provider issues, the following line can be added to the Drillbridge configuration file to enable much more verbose logging:

logging.level.org.springframework.security=TRACE

It is not recommended to leave this setting enabled for production systems.