KeyHub credential domain field

Hello,

Thank you for your request.

We are currently unsure if this can be achieved through the API provided by Topicus. Also, our license for the product has expired making us unable to test for now.

We will ask the contact we have with their company if this is something that can be done and keep you updated as soon as we have new information.

Regards,

Hi Michaël,

Your contact is my colleague :) I don't think we need the KeyHub API for this as we don't have a domain parameter in the vault record or the rotating password record. So I am looking for a way to add a domain in the RDM credential entry.
The RDM username / password credential has an option for it. So I was hoping this parameter could be added in the KeyHub credential.

Kind regards,

Jan Martijn

Hello Jan,

I had already sent a message to your colleague and this is what he has sent me :

Starting with KeyHub 18.1, it is actually possible to get the different login names a user might have on different systems. The rotating password that you read from KeyHub is used to create accounts on provisioned systems. These systems can be LDAP or Active Directory. Usually the username on these systems matches the KeyHub username, but it is possible that for a specific system a prefix is added to the name. If you send a GET request to

/keyhub/rest/v1/system?active=TRUE&additional=loginName

You will get a list of all provisioned systems, with the corresponding loginName for the current user. For an Active Directory this will be the UPN in the form username@domain. As far as I know, this should work when logging on to a Windows server. Perhaps you can have the user select one of these login names from a drop down (you might want to include the username you currently use as well)? You will need to get an OAuth2 token with the scope 'provisioning' if you do not already use that.

Is this what you wanted or do you still want to have an additional textbox in the properties of a Topicus credential entry where you can type whichever domain you want by hand and have it always be that domain for that specific entry?

Regards,

Hi Michaël,

Emond's suggestion for the drop down in the credential would be great.

Kind regards,

Jan Martijn

Hello Jan,

Good we will do that then. I will add this to our TODO list and keep you updated on the progress.

Regards,

Hi Michaël,

Thanks a lot!

Kind regards,

Jan Martijn

Hello Jan,

I have been trying to contact Emond about this feature but have not received an answer for a while.

Is Emond still the person I should contact if I have any questions related to this feature's implementation or is there a new person I should message?

Best Regards,

Hi Michael,

He is still the right person. I've notified him. He will contact you.

Thanks for reaching out.

Kind regards,
Jan Martijn

Hello Jan,

The latest release of RDM (2022.2.13) has a new setting "Login name" when you are using the "Rotating password" mode. This settings has a refresh button on the right side which should fill a combobox with all your login names from the different domains. Selecting a login name will enforce it as the username of that Topicus credential entry.

Please do let me know if everything works as was intended and if the labels would be clear enough for the Topicus users as I wasn't too certain how to name them.

Best Regards,

Hi Michael,

Thanks. This is working great. One remark however. When revoking the scope for RDM from KeyHub. RDM doesn't seem to ask a new token with the new scope right away. There's no error message either. Possibly because there's still a valid token with the old scope? Restarting RDM fixes this.

Kind regards,

Jan Martijn

Hello Jan,

Before we get working on this, would it be possible to provide a screenshot or some explanations as to how you revoke the scope just to make sure we are working on the proper issue?

Best Regards,

Hi Michaël,

The issue Jan Martijn is describing actually consists of 2 different problems. The first one being caused by a misconfiguration in KeyHub and the second one caused by RDM not responding correctly on revoked access tokens.

To reproduce the first problem, exit RDM and open the OIDC application for RDM in KeyHub. There you can find the 'Allowed scopes' option. Uncheck 'Activate linked systems' and save the application. Next, open your profile (user icon in the bottom-left corner) and open the 'Applications' tab. Find RDM and revoke all permissions. Now, start RDM and try to read the usernames. You will be prompted to give consent for 2 scopes (the 3rd scope will be ignored because of the misconfiguration). RDM will get an access token for these 2 scopes and the call for the usernames will fail. RDM can detect this in the token response, because it contains a 'scope' parameter with a missing scope. It would be very nice if RDM could display a message hinting the user on this configuration issue.

The second problem can be triggered very easily. Make sure RDM is running and configured correctly in KeyHub and you can read data from KeyHub. Now, go to your profile again and revoke the permissions the same way as above. This will immediately invalidate the access token held by RDM. When RDM tries to use this token again, it will get a 403 from KeyHub. This should be a trigger to RDM to acquire a new access token.

Best regards,
Emond