Social Media Login1.0
The Social Media Login feature provides a form of single sign-on (SSO) that enables users to sign in to a secured website by using their existing social media account.
For example, you can configure the Social Login feature so that users can log in to your website with their Facebook or Twitter accounts instead of having to create an account specifically for your website. You can enable the Social Login feature for any social media platform that uses the OAuth 2.0 or OpenID Connect 1.0 standard for authorization.
Enabling this feature
To enable the Social Media Login 1.0 feature, add the following element declaration into your server.xml
file, inside the featureManager
element:
<feature>socialLogin-1.0</feature>
Examples
The Social Media Login feature provides a set of built-in configuration elements for popular social media providers, in addition to generic configuration elements. The following examples show how to configure different scenarios in the server.xml
file.
Request login with a social media ID
If multiple social media providers are configured, a customizable selection form is presented. The user can then sign in with a social media provider of their choice. The following example shows how to configure your application to request that the user logs in with their Google ID. In this example, your_app_id
and your_app_secret
are the Google client ID and client secret credentials for the formlogin
application.
<googleLogin clientId="your_app_id" clientSecret="your_app_secret" />
<!-- protected applications need to have a security constraint defined -->
<application type="war" id="formlogin" name="formlogin" location="server1/apps/formlogin.war">
<application-bnd>
<security-role name="Employee">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
Provide a choice of social media providers to the user
You can configure multiple social media providers for users to choose from. The user receives a customizable selection form before authentication with the available providers included on the form. The following example includes a choice of Google, GitHub, Facebook, LinkedIn, and Twitter:
<googleLogin clientId="your_app_id" clientSecret="your_app_secret" />
<githubLogin clientid="your_app_id" clientSecret="your_app_secret" />
<facebookLogin clientId="your_app_id" clientSecret="your_app_secret" />
<linkedinLogin clientId="your_app_id" clientSecret="your_app_secret" />
<twitterLogin consumerKey="your_app_id" consumerSecret="your_app_secret"/>
<!-- protected applications need to have a security constraint defined -->
<application type="war" id="formlogin" name="formlogin" location="server1/apps/formlogin.war">
<application-bnd>
<security-role name="Employee">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
Require authenticated users to also be present in the configured registry
You can restrict the presentation of a social media provider to only users who are also in another configured registry. For example, use the mapToUserRegistry
attribute to configure your application. The user must authenticate through Google and also verify as an existing user in the company LDAP registry:
<googleLogin mapToUserRegistry="true" clientId="your app id" clientSecret="your app secret" />
<ldapRegistry ...> ... </ldapRegistry>
For more information on configuring an LDAP registry, see the LDAP User Registry feature.
Request login with a social media ID or with their account for the configured registry
You can give users the option of logging in with either a social media provider or with their account on the configured registry. For example, use the enableLocalAuthentication
attribute to configure your application so that users can log in with a Google ID or with their account on their company’s LDAP registry:
<!-- The user is given a choice menu of either Google or LDAP -->
<googleLogin clientId="your app id" clientSecret="your app secret" />
<socialLoginWebapp enableLocalAuthentication="true">
<ldapRegistry id="ldap" ...> ... </ldapRegistry>
Request login with a social media ID for only a subset of applications, URLs, browsers, or IP addresses
To protect only a subset of applications, URLs, or IP addresses, use an authentication filter. The security configuration takes effect only when the conditions in the filter are met. For example, you might want a web application to be secured with the Social Media Login feature and a microservice application to be secured with the MicroProfile JWT feature. In the following example, only requests that contain the /mywebapp
URL pattern are secured with Google credentials:
<googleLogin authFilterRef="authFilter1" clientId="your app id" clientSecret="your app secret" />
<authFilter id="authFilter1">
<requestUrl
id="myUrlFilter"
urlPattern="/mywebapp"
matchType="contains" />
</authFilter>
For more information, see the authFilter element.
Provide other social media logins as options to the user
To authenticate with a social media provider that isn’t preconfigured with Open Liberty, use the oauth2Login element for OAuth providers or the oidcLogin element for OpenID Connect providers. These elements supply the configuration details that are needed to work with the provider. The details can usually be obtained from the developer instructions of the social media provider. The following example configures Instagram as the social media provider:
<oauth2Login id="instagramLogin" clientId="client_id" clientSecret="client_secret"
scope="basic public_content" responseType="code"
tokenEndpointAuthMethod="client_secret_post"
authorizationEndpoint="https://api.instagram.com/oauth/authorize"
tokenEndpoint="https://api.instagram.com/oauth/access_token"
userApi="https://api.instagram.com/v1/users/self"
userNameAttribute="username"
website="https://www.instagram.com/developer/authentication/">
</oauth2Login>
Use OpenShift service accounts to authenticate and authorize protected resource requests
The Social Media Login feature can be configured to use OpenShift service accounts to authenticate and authorize protected resource requests. With this configuration, server administrators can secure endpoints, for example, monitoring and metrics endpoints, that might produce sensitive information. The service accounts can authenticate themselves by providing a service account token that was created within the OpenShift cluster in the request.
The following example shows how to configure the Social Media Login feature to use OpenShift service accounts as a single sign-on provider:
<okdServiceLogin />
The okdServiceLogin
element authenticates all protected resource requests received by Open Liberty. The OpenShift project that the service account is in, is used as the group for the service account for authorization decisions.
Use Active Directory as an authentication provider
You can configure an Open Liberty server to use Active Directory as an authentication provider for protected resources. The oidcLogin
element configures a social login by using the OpenID Connect protocol. With OpenID Connect, the discovery endpoint URL provides the information that the client needs to interact with the authentication provider, which in this case is Active Directory. In the following example, the discoveryEndpoint
attribute specifies the endpoint URL for Active Directory:
<oidcLogin
id="liberty-aad-oidc-javaeecafe" clientId="1m2a72a8-Yh32-T56W-95Pq-aFNu78491272"
clientSecret="RaWhKDUcDpngeKCuG14yM6extsMcPXqdUCjYN="
discoveryEndpoint="https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration"
signatureAlgorithm="RS256"
userNameAttribute="preferred_username" />
For more information about Active Directory endpoints, see the Active Directory documentation.