OpenID-Connect-Java-Spring-.../openid-connect-client/README.md

# OpenID Connect Client

## Overview 

This is the Client, a Spring Security AuthenticationFilter, to OpenID Connect Java Spring Server described by [OpenID Connect Standard].

## Configuration of OIDCAuthenticationFilter

Configure the OIDCAuthenticationFilter by adding the XML to your application context security like so:

	<security:http auto-config="false" 
		use-expressions="true"
		disable-url-rewriting="true" 
		entry-point-ref="authenticationEntryPoint" 
		pattern="/**">

		<security:intercept-url 
			pattern="/somepath/**" 
			access="denyAll" />

		<security:custom-filter 
			before="PRE_AUTH_FILTER 
			ref="openIdConnectAuthenticationFilter" />
	
		<security:intercept-url 
			pattern="/**" 
			access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" /> 
		
		<security:logout />
		
		<securityLremember-me user-service-ref="myUserDetailsService"
	</security:http>
	
	<bean id="authenticationEntryPoint" 
		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
		<property name="loginFormUrl" 
			value="/openid_connect_login"/> 
	</bean>
	
	<security:authentication-manager alias="authenticationManager" /> 

	<bean id="openIdConnectAuthenticationProvider"
		class='org.mitre.openid.connect.client.OIDCAuthenticationProvider">
		<property name="userDetaulsService" ref="myUserDetailsService"/>
	</bean>

	<bean id="openIdConnectAuthenticationFilter"
		class="org.mitre.openid.connect.client.OpenIdConnectAuthenticationFilter">
		<property name="authenticationManager"
			ref="authenticationManager" />
		<property name="errorRedirectURI" 
			value="/login.jsp?authfail=openid" />
		<property name="authorizationEndpointURI" 
			value="http://sever.example.com:8080/openid-connect-server/oauth/authorize" />
		<property name="tokenEndpointURI" 
			value="http://sever.example.com:8080/openid-connect-server/oauth/token" />
		<property name="checkIDEndpointURI" 
			value="http://sever.example.com:8080/openid-connect-server/checkid" />
		<property name="clientId" 
			value="someClientId" /> 
		<property name="clientSecret" value="someClientSecret" /> 
	</bean>

You will need to implement your own UserDetailsService and configure as the above does with the reference to *myUserDetailsService*.

## Configuration of OIDCAuthenticationUsingChooserFilter

The OIDCAuthenticationUsingChooserFilter was written in response to [Issue #39].

Th Authentication Filter use the *oidcServerConfigs* property, a map of OIDC servers, an *accountChooserURI* property to denote the URI of the Account Chooser, and an *accountChooserClient* property to identify the Client to the Account Chooser UI application like so:
	
	<bean id="openIdConnectAuthenticationFilter"
		class="org.mitre.openid.connect.client.OIDCAuthenticationUsingChooserFilter">
		<property name="errorRedirectURI" value="/login.jsp?authfail=openid" /> 
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accountChooserURI"
			value="http://sever.example.com:8080/account-chooser" />
		<property name="accountChooserClientID" value="FGWEUIASJK" />
		<property name="oidcServerConfigs">
			<map>
				<entry key="http://sever.example.com:8080/Fopenid-connect-server">
					<bean class="org.mitre.openid.connect.client.OIDCServerConfiguration">
						<property name="authorizationEndpointURI" 
							value="http://sever.example.com:8080/openid-connect-server/oauth/authorize" />
						<property name="tokenEndpointURI" 
							value="http://sever.example.com:8080/openid-connect-server/oauth/token" />
						<property name="checkIDEndpointURI" 
							value="http://sever.example.com:8080/openid-connect-server/checkid" />
						<property name="clientId" 
							value="someClientId" /> 
						<property name="clientSecret" value="someClientSecret" />
					</bean>
				</entry>
				<entry key=". . .
			</map>
		</property>
	</bean>
	
Again, you will need to implement your own UserDetailsService and configure as the above does with the reference to *myUserDetailsService*.	

[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html "OpenID Connect Standard 1.0"
[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html#code_flow "Authorization Code Flow, OpenID Connect Standard"
[Issuer Identifier]: http://openid.net/specs/openid-connect-messages-1_0.html#issuer_identifier "Issuer Identifier"
[Issue #39]: http://github.com/jricher/OpenID-Connect-Java-Spring-Server/issues/39 "Issue #39 -- Multiple Point Client"
issue #39 2012-05-08 23:52:13 +00:00			`# OpenID Connect Client`

			`## Overview`

			`This is the Client, a Spring Security AuthenticationFilter, to OpenID Connect Java Spring Server described by [OpenID Connect Standard].`

mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`## Configuration of OIDCAuthenticationFilter`
issue #39 2012-05-08 23:52:13 +00:00
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`Configure the OIDCAuthenticationFilter by adding the XML to your application context security like so:`
issue #39 2012-05-08 23:52:13 +00:00
			`<security:http auto-config="false"`
			`use-expressions="true"`
			`disable-url-rewriting="true"`
			`entry-point-ref="authenticationEntryPoint"`
			`pattern="/**">`

			`<security:intercept-url`
			`pattern="/somepath/**"`
			`access="denyAll" />`

			`<security:custom-filter`
			`before="PRE_AUTH_FILTER`
			`ref="openIdConnectAuthenticationFilter" />`

			`<security:intercept-url`
			`pattern="/**"`
			`access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />`

			`<security:logout />`

			`<securityLremember-me user-service-ref="myUserDetailsService"`
			`</security:http>`

			`<bean id="authenticationEntryPoint"`
			`class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">`
			`<property name="loginFormUrl"`
			`value="/openid_connect_login"/>`
			`</bean>`

			`<security:authentication-manager alias="authenticationManager" />`

			`<bean id="openIdConnectAuthenticationProvider"`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`class='org.mitre.openid.connect.client.OIDCAuthenticationProvider">`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="userDetaulsService" ref="myUserDetailsService"/>`
			`</bean>`

			`<bean id="openIdConnectAuthenticationFilter"`
			`class="org.mitre.openid.connect.client.OpenIdConnectAuthenticationFilter">`
			`<property name="authenticationManager"`
			`ref="authenticationManager" />`
			`<property name="errorRedirectURI"`
			`value="/login.jsp?authfail=openid" />`
			`<property name="authorizationEndpointURI"`
readme tweaks. 2012-05-09 00:04:51 +00:00			`value="http://sever.example.com:8080/openid-connect-server/oauth/authorize" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="tokenEndpointURI"`
readme tweaks. 2012-05-09 00:04:51 +00:00			`value="http://sever.example.com:8080/openid-connect-server/oauth/token" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="checkIDEndpointURI"`
			`value="http://sever.example.com:8080/openid-connect-server/checkid" />`
			`<property name="clientId"`
			`value="someClientId" />`
			`<property name="clientSecret" value="someClientSecret" />`
			`</bean>`

			`You will need to implement your own UserDetailsService and configure as the above does with the reference to myUserDetailsService.`

mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`## Configuration of OIDCAuthenticationUsingChooserFilter`
issue #39 2012-05-08 23:52:13 +00:00
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`The OIDCAuthenticationUsingChooserFilter was written in response to [Issue #39].`
issue #39 2012-05-08 23:52:13 +00:00
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`Th Authentication Filter use the oidcServerConfigs property, a map of OIDC servers, an accountChooserURI property to denote the URI of the Account Chooser, and an accountChooserClient property to identify the Client to the Account Chooser UI application like so:`
issue #39 2012-05-08 23:52:13 +00:00
			`<bean id="openIdConnectAuthenticationFilter"`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`class="org.mitre.openid.connect.client.OIDCAuthenticationUsingChooserFilter">`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="errorRedirectURI" value="/login.jsp?authfail=openid" />`
			`<property name="authenticationManager" ref="authenticationManager" />`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`<property name="accountChooserURI"`
issue #39 2012-05-08 23:52:13 +00:00			`value="http://sever.example.com:8080/account-chooser" />`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`<property name="accountChooserClientID" value="FGWEUIASJK" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="oidcServerConfigs">`
			`<map>`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`<entry key="http://sever.example.com:8080/Fopenid-connect-server">`
issue #39 2012-05-08 23:52:13 +00:00			`<bean class="org.mitre.openid.connect.client.OIDCServerConfiguration">`
			`<property name="authorizationEndpointURI"`
readme tweaks. 2012-05-09 00:04:51 +00:00			`value="http://sever.example.com:8080/openid-connect-server/oauth/authorize" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="tokenEndpointURI"`
readme tweaks. 2012-05-09 00:04:51 +00:00			`value="http://sever.example.com:8080/openid-connect-server/oauth/token" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="checkIDEndpointURI"`
			`value="http://sever.example.com:8080/openid-connect-server/checkid" />`
			`<property name="clientId"`
			`value="someClientId" />`
			`<property name="clientSecret" value="someClientSecret" />`
			`</bean>`
			`</entry>`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`<entry key=". . .`
issue #39 2012-05-08 23:52:13 +00:00			`</map>`
			`</property>`
			`</bean>`

mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`Again, you will need to implement your own UserDetailsService and configure as the above does with the reference to myUserDetailsService.`
issue #39 2012-05-08 23:52:13 +00:00
			`[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html "OpenID Connect Standard 1.0"`
			`[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html#code_flow "Authorization Code Flow, OpenID Connect Standard"`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`[Issuer Identifier]: http://openid.net/specs/openid-connect-messages-1_0.html#issuer_identifier "Issuer Identifier"`
issue #39 2012-05-08 23:52:13 +00:00			`[Issue #39]: http://github.com/jricher/OpenID-Connect-Java-Spring-Server/issues/39 "Issue #39 -- Multiple Point Client"`