OpenID Connect Provider1.0
This feature enables web applications to integrate OpenID Connect Server 1.0 for authenticating users instead of, or in addition to, the configured user registry.
The OpenID Connect (OIDC) Provider feature is one of the several features that enables Single sign-on (SSO) in Open Liberty. With this feature, you can authenticate users without the need to manage user credentials. You can configure Open Liberty to act as an OpenID Connect provider. With this configuration, users need to authenticate only once to access Open Liberty resources such as HTML, JavaServer Pages (JSP) files, and servlets. Users can also access resources in multiple Open Liberty servers that share Lightweight Third Party Authentication (LTPA) keys. This configuration is useful during development; when deployed into production in the cloud, applications typically use a cloud-hosted SSO provider such as Google.
Enabling this feature
To enable the OpenID Connect Provider 1.0 feature, add the following element declaration into your server.xml
file, inside the featureManager
element:
<feature>openidConnectServer-1.0</feature>
Examples
Managing OAuth clients with local store
The following example shows how to create a basic configuration to run an OpenID Connect Provider. The example uses the basic user registry to manage a single user that is defined in the server configuration.
<keyStore id="defaultKeyStore" password="keyspass" />
<basicRegistry id="basic" realm="customRealm">
<user
name="demouser"
password="demopassword" />
</basicRegistry>
<openidConnectProvider id="OP"
oauthProviderRef="OAuth"
signatureAlgorithm="RS256" keyStoreRef="defaultKeyStore"
jwkEnabled="true">
</openidConnectProvider>
<oauthProvider id="OAuth" tokenFormat="mpjwt" >
<localStore>
<client displayname="RP" enabled="true"
name="RP" secret="thesecret"
scope="openid profile email"
preAuthorizedScope="openid profile email">
<redirect>https://localhost:19443/oidcclient/redirect/RP</redirect>
</client>
</localStore>
</oauthProvider>
<oauth-roles>
<authenticated>
<special-subject type="ALL_AUTHENTICATED_USERS" />
</authenticated>
</oauth-roles>
In the example, the openidConnectProvider
element is configured to use the oauthProvider
attribute that refers to the id
of the OAuth provider. The signatureAlgorithm
attribute specifies the RS256 signature algorithm that is used to sign the ID token. The jwkEnabled
attribute that is set to true
indicates that the OpenID Connect provider supports JSON Web Keys (JWK). The OpenID Connect provider generates a JSON Web Key by using the certificate in the keystore that is referenced by the keyStoreRef
attribute. The generated JSON Web Key is used to sign ID tokens. OpenID Connect clients can contact the provider JWK endpoint to retrieve the corresponding signing key to verify the signatures of ID tokens that are issued by the provider.
The example configuration uses a localStore
element to store the client data and token status. Client data and token status are held in memory, which works for test and development purposes. However, storing client data and token status in memory is not suitable for production purposes, as reconfiguring the server might clear the local store. In production environments, client data and token status are stored in a database instead of a local store.
Add users and groups to the clientManager role
The following example shows how to add individual users and groups to the clientManager
role:
<oauth-roles>
<clientManager>
<user name="testuser" />
<group name="oidcadmin" />
</clientManager>
<oauth-roles>
Users in the clientManager
role can add or modify clients by accessing the registration endpoint. In the example, the clientManager
role is granted to the testuser
user or members of the oidcadmin
group.