Admin UI License Registration

[Cookedjc]

Problem:

Today you need to enter fixed values into the License Screen for the Flex UI including:
licenseSpring.apiKey=
licenseSpring.productCode=
licenseSpring.sharedKey=
licenseSpring.managementKey=

And then on a second screen:
license-key

Ideally, the first four values would be obtained from a Gluu API, as these are Gluu credentials.

[duttarnab]

Currently, users need to enter the API key, shared key, product code and license-key in admin-ui for license activation. We need to hide the API key, shared key, product code from the user. The user should be able to activate the license using license-key.

The Solution

1. Every time before calling the licenseSpring APIs, Admin UI backend (config-API plugin) will call the following endpoints of Gluu's Internal Rest Application.

• /licenseSpring/credentials (to get signed and encrypted API key, shared key, product code)
• /licenseSpring/credentials/keys (to get keys to decrypt and verify credentials)

2. We will configure allowed hostnames in Gluu's Internal Rest Application. The requests from the configured hostnames will be only allowed to Gluu's Internal Rest Application

[duttarnab]

Admin-UI team will make FE+BE changes once APIs are ready.

[duttarnab]

Here are the steps to be implemented in admin-ui for getting license credentials from SCAN.

1. During Flex installation if the deployer chooses to install admin-ui then, setup will ask to enter SSA (obtained from SCAN) for license APIs access.
2. setup.py will present the SSA to https://accounts.gluu.org (the SCAN Auth Server) during DCR to obtain client credentials. Setup will save the client credentials in the admin-ui configuration.
3. Admin UI will use the client credentials to call the SCAN License API to obtain the apiKey, productCode, sharedKey, and managementKey.

[nynymike]

You want the user to just paste in the JWT? Perhaps it can be given as a file when you run setup.py, for example --ssa ~/scan_ssa.jwt ?

[duttarnab]

You want the user to just paste in the JWT? Perhaps it can be given as a file when you run the setup, for example --ssa ?

ok noted. Reading SSA jwt (during flex installation) and DCR (i.e. #1 and #2) will be the work of the flex installation script. So @devrimyatar can advise if the installation script can accept the SSA file during installation.

[duttarnab]

Hi @devrimyatar
I think the following work will be done by flex installation script.

1. During Flex installation if the deployer chooses to install admin-ui then, the setup will ask to enter SSA for license API access. the SSA generated will have https://jans.io/oauth/jans-auth-server/config/adminui/license.read scope.
2. setup.py will present the SSA to https://accounts.gluu.org/ (the SCAN Auth Server) during DCR to obtain client credentials. Setup will save the client credentials in the admin-ui configuration (under jansConfApp field).

{"oidcConfig":{
            "authServerClient":{.....},
            "tokenServerClient":{.....}
},
"licenseClientCredential":{"client_id": "xxxxxxx.xxxxxxxx.xxxxxxxxx", "client_secret": "xxxxxxxx.xxxxxxxxxxx.xxxxxxxxxxx"}
}

[duttarnab]

license_api_spec.txt

@soheil-star01, as discussed please find the license APIs specs attached.

[devrimyatar]

@duttarnab Please create a seperate issue for flex_linux_setup

[duttarnab]

@duttarnab Please create a seperate issue for flex_linux_setup

@devrimyatar #766

[duttarnab]

Hi @mjatin-dev

We need to do the following changes to UI 👍

1. When a user fires admin-ui URL, the following screen to collect api-key, shared-key and product-code will not be shown.
   

2. Admin UI will first check if license has been activated for the application using the below endpoint.

GET /admin-ui/license/isActive

Response:

{
  "apiResult": true,
  "responseMessage": "Valid license present.",
  "responseCode": 200
}

3. If responseCode is 200 and apiResult is true then it will redirect to login page.
4. If apiResult is false in response then it will show the screen to get license-key (created before).
5. On entering license-key and clicking of submit button, it will call the below endpoint to activate license-key.
   POST /admin-ui/license/activateLicense
   Request-body

{
  "licenseKey": "string"
}

6. On getting a response with "apiResult": true, it will redirect to the login page.
7. If apiResult in response is false then it will display the message that The entered license-key is not valid.

[duttarnab]

done

[duttarnab]

Done