OpenID Connect Provider
1.0

This feature enables web applications to integrate OpenID Connect Server 1.0 for authenticating users instead of, or in addition to, the configured user registry.

The OpenID Connect (OIDC) Provider feature is one of the several features that enables Single sign-on (SSO) in Open Liberty. With this feature, you can authenticate users without the need to manage user credentials. You can configure Open Liberty to act as an OpenID Connect provider. With this configuration, users need to authenticate only once to access Open Liberty resources such as HTML, JavaServer Pages (JSP) files, and servlets. Users can also access resources in multiple Open Liberty servers that share Lightweight Third Party Authentication (LTPA) keys. This configuration is useful during development; when deployed into production in the cloud, applications typically use a cloud-hosted SSO provider such as Google.

Enabling this feature

To enable the OpenID Connect Provider 1.0 feature, add the following element declaration into your server.xml file, inside the featureManager element:

<feature>openidConnectServer-1.0</feature>

Examples

Managing OAuth clients with local store

The following example shows how to create a basic configuration to run an OpenID Connect Provider. The example uses the basic user registry to manage a single user that is defined in the server configuration.

<keyStore id="defaultKeyStore" password="keyspass" />

<basicRegistry id="basic" realm="customRealm">
    <user
      name="demouser"
      password="demopassword" />
</basicRegistry>

<openidConnectProvider id="OP"
    oauthProviderRef="OAuth"
    signatureAlgorithm="RS256" keyStoreRef="defaultKeyStore"
    jwkEnabled="true">
</openidConnectProvider>

<oauthProvider id="OAuth" tokenFormat="mpjwt" >
    <localStore>
      <client displayname="RP" enabled="true"
            name="RP" secret="thesecret"
            scope="openid profile email"
            preAuthorizedScope="openid profile email">
            <redirect>https://localhost:19443/oidcclient/redirect/RP</redirect>
      </client>
    </localStore>
</oauthProvider>

<oauth-roles>
    <authenticated>
        <special-subject type="ALL_AUTHENTICATED_USERS" />
    </authenticated>
</oauth-roles>

In the example, the openidConnectProvider element is configured to use the oauthProvider attribute that refers to the id of the OAuth provider. The signatureAlgorithm attribute specifies the RS256 signature algorithm that is used to sign the ID token. The jwkEnabled attribute that is set to true indicates that the OpenID Connect provider supports JSON Web Keys (JWK). The OpenID Connect provider generates a JSON Web Key by using the certificate in the keystore that is referenced by the keyStoreRef attribute. The generated JSON Web Key is used to sign ID tokens. OpenID Connect clients can contact the provider JWK endpoint to retrieve the corresponding signing key to verify the signatures of ID tokens that are issued by the provider.

The example configuration uses a localStore element to store the client data and token status. Client data and token status are held in memory, which works for test and development purposes. However, storing client data and token status in memory is not suitable for production purposes, as reconfiguring the server might clear the local store. In production environments, client data and token status are stored in a database instead of a local store.

Add users and groups to the clientManager role

The following example shows how to add individual users and groups to the clientManager role:

<oauth-roles>
  <clientManager>
     <user name="testuser" />
     <group name="oidcadmin" />
  </clientManager>
<oauth-roles>

Users in the clientManager role can add or modify clients by accessing the registration endpoint. In the example, the clientManager role is granted to the testuser user or members of the oidcadmin group.

Feature configuration elements

Liberty API packages provided by this feature

  • com.ibm.websphere.security.openidconnect

Features that this feature enables

Supported Java versions

  • JavaSE-1.8

  • JavaSE-11.0

  • JavaSE-17.0

  • JavaSE-20.0

Developing a feature that depends on this feature

If you are developing a feature that depends on this feature, include the following item in the Subsystem-Content header in your feature manifest file.

com.ibm.websphere.appserver.openidConnectServer-1.0; type="osgi.subsystem.feature"