Gluu Cloud Admin UI: Application Architecture - GluuFederation/gluu-admin-ui GitHub Wiki

Overview

Gluu Admin-UI is a graphical user interface for the administrators to manage configuration and other properties of Jans Auth Server. This GUI interacts with Jans Auth Server via the rest APIs layer called Jans Config Api. It follows a flexible plugin architecture in which the new features can be added to Admin-UI using extensions called plugins without altering the application itself.

Admin UI comprises the following components:

  1. Gluu Admin-UI Frontend
  2. Jans Config Api
  3. Jans Authorization Server

Gluu Admin-UI

This is a user-facing GUI developed using React and Redux.

Jans Config Api

Jans Config Api enables access and updates to the configuration properties of Jans Authorization Server. This is a java based rest API using JAX-RS and WELD.

Swagger Specification

Swagger Source

Jans Authorization Server

Jans Authorization Server is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). The project also includes OpenID Connect Client code which can be used by websites to validate tokens. The server currently implements all required aspects of the OpenID Connect stack, including an OAuth 2.0 authorization server, Simple Web Discovery, Dynamic Client Registration, JSON Web Tokens, JSON Web Keys, and User Info Endpoint.

Swagger Specification

Swagger Source

Accessing Gluu Admin UI

  1. When trying to access Gluu Admin UI (frontend) on a web browser, it will follow Authorization code flow and will redirect to the authorization Server (jans-auth-server-1) login page for user authentication.
  2. The authorization server (jans-auth-server-1) authenticates the End-User and obtains End-User Consent/Authorization.
  3. If the authentication is successful then the authorization code and state will be sent from the jans-auth-server-1 to the frontend. The state is verified at the frontend.
  4. The frontend requests for user-info jwt (UJWT) response using the authorization code to Admin UI Backend (backend). Please note that Admin UI Backend is a plugin of jans-config-api.
  5. Using authorization code the backend first fetches access_token (AT1) from the token endpoint of the authorization server. Then it fetches UJWT (from authorization server ) using AT1 and forwards it to the frontend.
  6. The frontend stores UJWT / Claims from UJWT in the redux store.

Generating api-protection token (AT2) and enabling/disabling features at frontend

  1. The UJWT contains User Role (jansAdminUIRole) and other claims.
  2. To generate an api-protection token (AT2) frontend requests Token-server (jans-auth-server-2) via. backend.
  3. At jans-auth-server-2 an introspection script is enabled which validates UJWT and also contains role-scope mapping.
  4. The introspection script will validate UJWT and include the scopes in AT2 as per the role of the user.
  5. This AT2/Scopes is sent back to frontend via backend.
  6. The features at frontend are enabled/disabled as per scopes from AT2.

Accessing Janssen Config Api endpoints

  1. To access config-api endpoints frontend first request for AT2 from jans-auth-server-2 via. backend.
  2. Then frontend sends the request to the config-api endpoint using AT2 at authorization header and other request parameters.
  3. At config-api AT2 is validated and scopes are verified (checked if required scope for the endpoint is present).
  4. If the above step is successful the result is fetched from jans-auth-server-1 and forward to frontend.

Complete sequence diagram

(Source)

References:

  1. Introspection script
  2. Role-Scope mapping