OpenID Connect Provider1.0
This feature enables web applications to integrate OpenID Connect Server 1.0 for authenticating users instead of, or in addition to, the configured user registry.
The OpenID Connect (OIDC) feature is one of the several features that enables Single sign-on (SSO) in Open Liberty. With the OpenID Connect feature, you can authenticate users without the need to manage user credentials. You can configure Open Liberty to act as an OpenID Connect provider. With this configuration, users need to authenticate only once to access Open Liberty resources such as HTML, JavaServer Pages (JSP) files, and servlets. Users can also access resources in multiple Open Liberty servers that share Lightweight Third Party Authentication (LTPA) keys. This configuration is useful during development; when deployed into production in the cloud, applications typically use a cloud-hosted SSO provider such as Google.
Enabling this feature
To enable the OpenID Connect Provider 1.0 feature, add the following element declaration into your
server.xml file, inside the
Managing OAuth clients with local store
The following example shows how to create a basic configuration to run an OpenID Connect Provider. The example uses the basic user registry to manage a single user that is defined in the server configuration.
<keyStore id="defaultKeyStore" password="keyspass" /> <basicRegistry id="basic" realm="customRealm"> <user name="demouser" password="demopassword" /> </basicRegistry> <openidConnectProvider id="OP" oauthProviderRef="OAuth" signatureAlgorithm="RS256" keyStoreRef="defaultKeyStore" jwkEnabled="true"> </openidConnectProvider> <oauthProvider id="OAuth" tokenFormat="mpjwt" > <localStore> <client displayname="RP" enabled="true" name="RP" secret="thesecret" scope="openid profile email" preAuthorizedScope="openid profile email"> <redirect>https://localhost:19443/oidcclient/redirect/RP</redirect> </client> </localStore> </oauthProvider> <oauth-roles> <authenticated> <special-subject type="ALL_AUTHENTICATED_USERS" /> </authenticated> </oauth-roles>
In the example, the
openidConnectProvider element is configured to use the
oauthProvider attribute that refers to the
id of the OAuth provider.
signatureAlgorithm attribute specifies the RS256 signature algorithm that is used to sign the ID token.
jwkEnabled attribute that is set to
true indicates that the OpenID Connect provider supports JSON Web Keys (JWK).
The OpenID Connect provider generates a JSON Web Key by using the certificate in the keystore that is referenced by the
The generated JSON Web Key is used to sign ID tokens.
OpenID Connect clients can contact the provider JWK endpoint to retrieve the corresponding signing key to verify the signatures of ID tokens that are issued by the provider.
The example configuration uses a
localStore element to store the client data and token status.
Client data and token status are held in memory, which works for test and development purposes.
However, storing client data and token status in memory is not suitable for production purposes, as reconfiguring the server might clear the local store.
In production environments, client data and token status are stored in a database instead of a local store.
Add users and groups to the clientManager role
The following example shows how to add individual users and groups to the
<oauth-roles> <clientManager> <user name="testuser" /> <group name="oidcadmin" /> </clientManager> <oauth-roles>
Users in the
clientManager role can add or modify clients by accessing the registration endpoint.
In the example, the
clientManager role is granted to the
testuser user or members of the