Configure Scoring Agent Authentication
Only one authentication method should be enabled concurrently!
Regardless of how you install the endpoint infrastructure, the Scoring Agent natively supports multiple methods of authentication:
- Basic Auth
- OAuth2
To enable a specific authentication method, adapt the Scoring Agent's
environment variable SPRING_DEFAULT_PROFILES
. For example, if you want to use
the Basic Auth you should set SPRING_DEFAULT_PROFILES=basic
and if you want
to use OAuth2 you can use SPRING_DEFAULT_PROFILES=oauth2
Basic Auth
If you like to use the basic auth method, set the corresponding environment variable to enable it.
In addition to this, the following environment variables can be used to further define the authentication's behavior.
Property | Description | Example |
---|---|---|
SPRING_SECURITY_BASIC_PATH |
Define which endpoints of the RTS are being secured with a path pattern. | To secure only my-first-deployment and all admin routes, use /services/my-first-deployment/**,/admin/** . To secure all endpoints use /** |
SPRING_SECURITY_USER_NAME |
Define the username for this authentication method. | myUser |
SPRING_SECURITY_USER_PASSWORD |
Define the password for this authentication method. | superSecurePassword |
OAuth
If you like to use this oauth2 method, set the corresponding environment variable to enable it.
In addition to this, the following environment variables can be used to further define the authentication's behavior. All OAuth2
properties are exposed by the application and can be set via SPRING_SECURITY.OAUTH2.<propertyName>
. For a full
reference please visit Spring Boot's security custom user information client documentation.
Property | Description | Example |
---|---|---|
SPRING_SECURITY_OAUTH2_PATH |
Define which endpoints of the RTS are being secured with a path pattern. | To secure only my-first-deployment and all admin routes, use /services/my-first-deployment/**,/admin/** . To secure all endpoints use /** |
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_AUDIENCES |
Define a list of audiences, which the incoming JWT must match in its aud property. | account,rapidminer-scoring-agent |
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI |
Define the OpenID Connect endpoint for user verification. | https://id.yourdomain.tld/auth/realms/testRealm |
Although Identity Providers allow assigning attributes like roles to specific users or groups, RTS OAuth2 integration is a global setting. This means that specific RTS endpoints cannot be secured depending on additional user information like their role.