Skip to content

Commit 4f12d32

Browse files
simonredfernsimonredfern
committed
USE_VERIFY_ENDPOINTS=true in README.md
1 parent 7be42c0 commit 4f12d32

1 file changed

Lines changed: 29 additions & 26 deletions

File tree

README.md

Lines changed: 29 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -209,59 +209,62 @@ mvn exec:java -Dexec.mainClass="com.tesobe.oidc.server.OidcServer"
209209
- Statistics and debugging information (`/stats`)
210210
- Client configuration details (`/clients`)
211211

212-
#### Credential Validation Method
212+
#### Verification Method (Database vs OBP API)
213213

214-
OBP-OIDC supports two methods for validating user credentials:
214+
OBP-OIDC supports two modes for verifying users, clients, and listing providers, controlled by a single env var `USE_VERIFY_ENDPOINTS`:
215215

216-
**1. Database View (Default):** `v_oidc_users`
217-
- Validates credentials directly against the PostgreSQL `v_oidc_users` view
218-
- Requires database access to the OBP user tables
219-
- This is the default and recommended method for most deployments
216+
**1. Database Views (Default):** `USE_VERIFY_ENDPOINTS=false`
217+
- Verifies credentials against the `v_oidc_users` database view
218+
- Verifies clients against the `v_oidc_clients` database view
219+
- Lists providers from the `v_oidc_users` database view
220+
- Requires database access to the OBP user/client tables
220221

221-
**2. OBP API Endpoint:** `validate_credentials_endpoint`
222-
- Validates credentials via the OBP API endpoint `POST /obp/v6.0.0/users/verify-credentials`
222+
**2. OBP API Endpoints:** `USE_VERIFY_ENDPOINTS=true`
223+
- Verifies credentials via `POST /obp/v6.0.0/users/verify-credentials`
224+
- Verifies clients via `GET /obp/v6.0.0/oidc/clients/CLIENT_ID`
225+
- Lists providers via `GET /obp/v6.0.0/providers`
223226
- Useful when you don't want to grant direct database access to OBP-OIDC
224-
- Requires a user with the `CanVerifyUserCredentials` role
227+
- Requires `OBP_API_USERNAME` to have `CanVerifyUserCredentials` and `CanVerifyOidcClient` roles
228+
- When combined with `OIDC_SKIP_CLIENT_BOOTSTRAP=true`, no database connection is needed at all
225229

226230
**Configuration:**
227231

228232
```bash
229-
# Default: Use database view (no configuration needed)
230-
VALIDATE_CREDENTIALS_METHOD=v_oidc_users
233+
# Default: Use database views (no extra configuration needed)
234+
USE_VERIFY_ENDPOINTS=false
231235

232-
# Alternative: Use OBP API endpoint
233-
VALIDATE_CREDENTIALS_METHOD=validate_credentials_endpoint
236+
# Alternative: Use OBP API endpoints
237+
USE_VERIFY_ENDPOINTS=true
234238
OBP_API_URL=http://localhost:8080
235-
OBP_API_USERNAME=admin_user # User with CanVerifyUserCredentials role
239+
OBP_API_USERNAME=admin_user # Needs CanVerifyUserCredentials + CanVerifyOidcClient roles
236240
OBP_API_PASSWORD=admin_password
237241
OBP_API_CONSUMER_KEY=your_consumer_key
238242
```
239243

240244
**Startup Output:**
241245

242-
When using `v_oidc_users`:
246+
When using database views (`USE_VERIFY_ENDPOINTS=false`):
243247
```
244248
Database connection successful. Found X validated users in v_oidc_users view.
245249
...
246-
Credential Validation Method: v_oidc_users (database view)
250+
USE_VERIFY_ENDPOINTS: false
251+
Credential verification: v_oidc_users (database view)
252+
Client verification: v_oidc_clients (database view)
253+
Provider listing: v_oidc_users (database view)
247254
```
248255

249-
When using `validate_credentials_endpoint`:
256+
When using OBP API endpoints (`USE_VERIFY_ENDPOINTS=true`):
250257
```
251-
Skipping v_oidc_users view test (using OBP API for credential validation)
252-
...
253-
OBP API credential verification connection successful. Connected to http://localhost:8080 as admin_user. User has CanVerifyUserCredentials role
254-
...
255-
Credential Validation Method: validate_credentials_endpoint (OBP API)
258+
USE_VERIFY_ENDPOINTS: true
259+
All verification methods use OBP API endpoints
256260
OBP API Username: admin_user
257-
Has CanVerifyUserCredentials Role: Yes
258261
```
259262

260-
**Note:** When using `validate_credentials_endpoint`, the server will fail to start if:
261-
- The OBP API is unreachable
263+
**Note:** When using `USE_VERIFY_ENDPOINTS=true`, the server will retry connecting to the OBP API on startup. It will fail if:
264+
- The OBP API is unreachable after all retry attempts
262265
- The username/password/consumer_key is invalid
263266

264-
The `/info` page (available in Local Development Mode) also displays the current credential validation method, username, and role status.
267+
The `/info` page (available in Local Development Mode) also displays the current verification method, username, and role status.
265268

266269
#### Authentication Provider Dropdown
267270

0 commit comments

Comments
 (0)