ADS integrations

To integrate Access Decision Service (ADS) with either Axiomatics Services Manager (ASM) or the Authorization Hub, you must configure ADS to retrieve its authorization domain configuration file from the respective service. This is achieved by first preparing ASM or the Authorization Hub to provide the domain and then updating your ADS deployment configuration.

Preparation

Switch between the tabs to view the specific configuration steps for your chosen service.

ASM

1. Configure an authorization domain in an ASM project

   Learn how to manage authorization domain configurations in the Domain managementOpens in a new tab section of the ASM documentation.

2. Configure Keycloak

   Set up the Keycloak client to provide authentication access to ADS, following the instructions provided in the Configure Keycloak for ADSOpens in a new tab section of the ASM documentation.

Authorization Hub

1. Configure an authorization domain in the Authorization Hub

   Learn how to manage authorization domain configurations in the DomainsOpens in a new tab section of the Authorization Hub documentation.

2. Manage client access through Keycloak

   Set up the Keycloak client to provide authentication access to ADS, following the instructions provided in the Client managementOpens in a new tab section of the Authorization Hub documentation.

Deployment configuration

Update your deployment.yaml file to point to the remote HTTP/HTTPS endpoint and configure the appropriate authentication as follows:

1. Set the domain path

   Set the path under the domain section to the HTTP/HTTPS URL of your ASM or Authorization Hub endpoint.

   note

   Spaces in domain names should be URL-encoded as %20. For example, Project 1 becomes Project%201 to ensure proper interpretation by the server.

   path: https://<hostname>/adm/api/namespaces/Project%201/names/mydomain/domain.yaml

   Domain path example with URL encoding

2. Configure authentication

   ADS requires client credentials to request the domain configuration from ASM or the Authorization Hub. Under the domain.authentication section, configure OAuth2 authentication:

   1. Specify an oauth2ClientId under domain.authentication.

   2. Add the corresponding OAuth2 properties (client-id, client-secret, scope, authorization-grant-type, and token-uri) under the spring.security.oauth2.client section.

      tip

      Axiomatics recommends using environmental variables to protect sensitive information like your client secret.

3. Configure TLS

   Secure communications between ADS and your chosen service by incorporating Transport Layer Security (TLS):

   1. Define a tlsConfigurationId (for example, admBundle) in the domain.authentication section.

   2. Provide the secure connection settings by adding the keystore (location, password, type) and truststore (location, password, type) properties under spring.ssl.bundle.jks.

      ADS supports both basic TLS with a KeyStore for client authentication or TLS with client certificates.

   tip

   As an alternative to defining a Spring TLS bundle, you can configure TLS trust at the JVM level by passing truststore properties as JVM startup arguments. Read the (Authentication) TLS options section for details.

deployment.yaml

# ADS configuration for integration with ASM or the Authorization Hub

license: file:<path_to_file>/axiomatics_ADS.license

domain:
  path: file:<path_to_file>/domain.yaml
  authentication:
    oauth2ClientId: adm-client
    tlsConfigurationId: admBundle  

spring:
  security:
    oauth2:
      client:
          registration:
            adm-client:
              client-id: <your_client_id>
              client-secret: ${OAUTH_CLIENT_SECRET}
              scope: openid  # Defines the scope of access requested by the client.
              authorization-grant-type: <your_grant_type>
              provider: adm-client
          provider:
            adm-client:
              # Uncomment the line for either ASM or the Hub. Do NOT uncomment both.
              # token-uri: https://<asm-hostname>/auth/realms/asm/protocol/openid-connect/token
              # token-uri: https://<hub-hostname>/auth/realms/hub/protocol/openid-connect/token
  ssl:
    bundle:
      jks:
        admBundle:                             
          keystore:
            location: file:<path_to_keystore.jks>  # Or .p12 for PKCS12
            password: ${KEYSTORE_PASSWORD}
            type: JKS # Replace with PKCS12 depending on the keystore type used
          truststore:
            location: file:<path_to_truststore.jks>
            password: ${TRUSTSTORE_PASSWORD}
            type: JKS # Replace with PKCS12 depending on the keystore type used

Important

Replace the placeholders with your values.