Single sign-on with EuroSSO – API login and JWT token

Single sign-on with EuroSSO

EuroSSO is a tool for managing user authentication and authorization in web applications. We provide the software along with the EuroAP product, but it can also be used as a standalone server or an extension of other applications.

EuroSSO allows you to manage access to web applications using roles and access rules. The EuroSSO server can be configured to perform many different actions after authentication, such as sending e-mail notifications or performing verification checks. EuroSSO is based on Red Hat® Single Sign-On software, which in turn is based on the Keycloak™ project. It is written in Java and is available as a client application for web browsers and as a library for various programming languages, including Java, JavaScript and Python.

API i JWT – JSON Web Token

One of the main goals of EuroSSO is to facilitate the process of user authentication and authorization in Internet applications. All thanks to the provision of an API that allows integration with other applications. In this article, we will focus on the two main EuroSSO APIs: Login API and JWT.

The EuroSSO login API allows web applications to integrate with the EuroSSO server to authenticate users. It can be used for username and password authentication as well as other authentication methods such as client certificates or SAML tokens.

JWT (JSON Web Token) is a type of authentication token that can be used in web applications. This token consists of three parts:

  • header
  • content
  • signature.

The header contains information on how to encrypt the content of the token. The content includes credentials such as a username or user ID. The signature is used to verify the integrity of the token.

EuroSSO allows you to create and maintain JWT tokens using its API.

JWT tokens can be used in many ways – they fulfill the following roles:

  • user authentication in web applications – the application can check the integrity and authenticity of the token with each request to ensure that the user is authorized to perform certain actions;
  • implementation of Single Sign-On (SSO) between different applications - if the user has been previously authenticated in one application, they can access other applications without having to log in again;
  • integration of EuroSSO with other systems, such as cloud services or mobile applications - they can be sent to other systems as proof of user authentication and enable them to access specific resources or functions;
  • storing additional authentication data, such as the user's role or permissions - the data can then be used by applications to determine the actions that the user is authorized to perform.

Installation of the EuroSSO plus EuroAP package

Now we will perform a quick, test installation of EuroSSO to show how easy and convenient this process is using the package prepared by EuroLinux.

First, we install the required version of OpenJDK:

sudo dnf install -y java-11-openjdk

Then, from the customer portal (at customerportal.euro-linux.com) we download the zip archive of EuroAP with EuroSSO and move it, for example, to the home directory:

mv EuroSSO* ~/

Then unpack it with the command:

unzip EuroSSO-7.6.1.zip

We enter the directory with the binaries:

cd EuroSSO-7.6/bin/

Now we can create an EuroAP server admin user by running add-user.sh, creating our admin username and answering some simple script questions. Below is an example session of creating a new user:

[[email protected] bin]$ ./add-user.sh

What type of user do you wish to add? 
 a) Management User (mgmt-users.properties) 
 b) Application User (application-users.properties)
(a): a 
Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username : euroapadmin
Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file.
 - The password should be different from the username
 - The password should not be one of the following restricted values {root, admin, administrator}
 - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
Password : 
Re-enter Password : 
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: 
About to add user 'euroapadmin' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user 'euroapadmin' to file '/home/vibal/EuroSSO-7.6/standalone/configuration/mgmt-users.properties'
Added user 'euroapadmin' to file '/home/vibal/EuroSSO-7.6/domain/configuration/mgmt-users.properties'
Added user 'euroapadmin' with groups  to file '/home/vibal/EuroSSO-7.6/standalone/configuration/mgmt-groups.properties'
Added user 'euroapadmin' with groups  to file '/home/vibal/EuroSSO-7.6/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process? 
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server Jakarta Enterprise Beans calls.
yes/no? no

Then, with the standalone.sh command, run a standalone test server that will start hosting the EuroAP interface on the local host, on port 9990:

EuroAP

and at the same time will be hosting the EuroSSO interface on port 8080:

EuroSSO

Summary

The Keycloak™ project, from which the EuroSSO product is derived, is widely used in a variety of industries, including banking, insurance, retail and healthcare. It is also popular with developers because it is easy to use and offers a wide range of authentication management features. EuroSSO is particularly useful in companies that want to manage access to their web applications for various groups of users, such as employees, business partners or end customers.