OpenID-Connect-Java-Spring-.../openid-connect-client/README.md

# OpenID Connect Client #

## Overview ##

This project contains an OpenID Connect Client implemented as a Spring Security AuthenticationFilter.  The client facilitates a user's authentication into the secured application to an OpenID Connect Java Spring Server following the OpenID Connect Standard protocol.

For an example of the Client configuration, see the [Simple Web App] project.

## Configuring ##

Configure the client by adding the following XML to your application context security making changes where necessary for your specific deployment.

Open and define an HTTP security configuration with a reference to a custom ***AuthenticationEntryPoint***, described below:

	<security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**">

Specify the access attributes and/or filter list for a particular set of URLs needing protection:

		<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" /> 

Indicate that ***OIDCAuthenticationFilter*** authentication filter should be incorporated into the security filter chain:

		<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />

Then close the HTTP security configuration:
		
	</security:http>

Define a custom ***AuthenticationEntryPoint*** to use a login URL via a bean declaration:
	
	<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
		<property name="loginFormUrl" value="/openid_connect_login" />
	</bean>
	
NOTE:  The ***loginFormUrl*** value is post-pended to the URI of the application being secured to define the ***redirect_uri***, the value passed to the OIDC Server and, if the ***OIDCAuthenticationUsingChooserFilter*** is configured, also the Account Chooser Application.  
		
Define an ***AuthenticationManager*** with a reference to a custom authentication provider, ***OpenIDConnectAuthenticationProvider***:
		
	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider ref="openIDConnectAuthenticationProvider" />
	</security:authentication-manager> 

Define the custom authentication provider. Note that it does not take a UserDetailsService as input at this time but instead makes a call to the UserInfoEndpoint to fill in user information.

	<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider" />

### Configuring the OIDCAuthenticationFilter ###

The ***OIDCAuthenticationFilter*** filter is defined with the following properties:

*	***authenticationManager*** -- a reference to the  ***AuthenticationManager***
*	***errorRedirectURI*** -- the URI of the Error redirect

Additionally, it contains a set of convenience methods to pass through to parameters on the ***OIDCServerConfiguration*** object that defines attributes of the server that it connects to:

*   ***issuer*** -- the root issuer string of this server (required)
*   ***authorizationEndpointUrl*** -- the URL of the Authorization Endpoint (required)
*   ***tokenEndpointUrl*** -- the URL of the Token Endpoint (required)
*   ***jwkSigningUrl*** -- the URL of the JWK (public key) Endpoint for token verification 
*   ***clientId*** -- the registered client identifier (required)
*   ***clientSecret*** -- the registered client secret
*   ***userInfoUrl*** -- the URL of the User Info Endpoint
*   ***scope*** -- space-separated list of scopes; the required value "openid" will always be prepended to the list given here

Configure like so: 

	<bean id="openIdConnectAuthenticationFilter"
		class="org.mitre.openid.connect.client.PlainOIDCAuthenticationFilter">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="errorRedirectURI" value="/login.jsp?authfail=openid" />
		<property name="issuer" value="http://server.example.com:8080/openid-connect-server/" />
		<property name="authorizationEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/auth" />
		<property name="tokenEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/token" />
		<property name="jwkSigningUrl" value="http://server.example.com:8080/openid-connect-server/jwk" />
		<property name="clientId" value="someClientId" /> 
		<property name="clientSecret" value="someClientSecret" /> 
		<property name="userInfoUrl" value="http://server.example.com:8080/open-id-connect-server/userinfo" />
		<property name="scope" value="profile email address phone" />
	</bean>	

### Configuring the OIDCAuthenticationUsingChooserFilter ###

For talking to multiple IdPs using an Account chooser, the ***OIDCAuthenticationUsingChooserFilter*** can be configured and used.  [The Client -- Account Chooser protocol] documentation details the protocol used between the Client and an Account Chooser application.  

The ***OIDCAuthenticationUsingChooserFilter*** Authentication Filter has the following properties:

*	***authenticationManager*** -- a reference to the  ***AuthenticationManager***,
*	***errorRedirectURI*** -- the URI of the Error redirect,
*   ***accountChooserURI*** -- to denote the URI of the Account Chooser, and 
*   ***accountChooserClient*** -- to identify the Client to the Account Chooser UI application. 
*   ***oidcServerConfigs*** -- a map of ***OIDCserverConfiguration***s to encapsulate the settings necesary for the client to communicate with each respective OIDC server,

Each ***OIDCServerConfiguration*** entry in ***OIDCserverConfiguration*** map is keyed to the ***issuer*** returned from the Account Chooser Application and enumerates the following properties: 

*	***authenticationManager*** -- a reference to the  ***AuthenticationManager***,
*   ***issuer*** -- the root issuer string of this server (required)
*   ***authorizationEndpointUrl*** -- the URL of the Authorization Endpoint (required)
*   ***tokenEndpointUrl*** -- the URL of the Token Endpoint (required)
*   ***jwkSigningUrl*** -- the URL of the JWK (public key) Endpoint for token verification 
*   ***clientId*** -- the registered client identifier (required)
*   ***clientSecret*** -- the registered client secret
*   ***userInfoUrl*** -- the URL of the User Info Endpoint
*   ***scope*** -- space-separated list of scopes; the required value "openid" will always be prepended to the list given here

Configure like so: 
	
	<bean id="openIdConnectAuthenticationFilter"
		class="org.mitre.openid.connect.client.OIDCAuthenticationUsingChooserFilter">
		<property name="errorRedirectURI" value="/login.jsp?authfail=openid" /> 
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accountChooserURI" value="http://sever.example.com:8080/account-chooser" />
		<property name="accountChooserClientID" value="FGWEUIASJK" />
		<property name="oidcServerConfigs">
			<map>
				<entry key="http://sever.example.com:8080/Fopenid-connect-server">
					<bean class="org.mitre.openid.connect.client.OIDCServerConfiguration">
						<property name="issuer" value="http://server.example.com:8080/openid-connect-server/" />
						<property name="authorizationEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/auth" />
						<property name="tokenEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/token" />
						<property name="jwkSigningUrl" value="http://server.example.com:8080/openid-connect-server/jwk" />
						<property name="clientId" value="someClientId" /> 
						<property name="clientSecret" value="someClientSecret" /> 
						<property name="userInfoUrl" value="http://server.example.com:8080/open-id-connect-server/userinfo" />
						<property name="scope" value="profile email address phone" />
					</bean>
				</entry>
				<entry key=". . .
			</map>
		</property>
	</bean>
	
[The Client -- Account Chooser protocol]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/account-chooser/docs/protocol.md
[Simple Web App]: https://github.com/mitreid-connect/simple-web-app
oidc client README.md tweaks 13 years ago			`# OpenID Connect Client #`
issue #39 13 years ago
oidc client README.md tweaks 13 years ago			`## Overview ##`
issue #39 13 years ago
client documentation updates, addresses #135 12 years ago			`This project contains an OpenID Connect Client implemented as a Spring Security AuthenticationFilter. The client facilitates a user's authentication into the secured application to an OpenID Connect Java Spring Server following the OpenID Connect Standard protocol.`

			`For an example of the Client configuration, see the [Simple Web App] project.`
issue #39 13 years ago
oidc client README.md tweaks 13 years ago			`## Configuring ##`
issue #39 13 years ago
oidc client README.md tweaks 13 years ago			`Configure the client by adding the following XML to your application context security making changes where necessary for your specific deployment.`

client documentation updates, addresses #135 12 years ago			`Open and define an HTTP security configuration with a reference to a custom *AuthenticationEntryPoint*, described below:`
issue #39 13 years ago
client documentation updates, addresses #135 12 years ago			`<security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**">`
issue #39 13 years ago
oidc client README.md tweaks 13 years ago			`Specify the access attributes and/or filter list for a particular set of URLs needing protection:`

client documentation updates, addresses #135 12 years ago			`<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />`
oidc client README.md tweaks 13 years ago
client documentation updates, addresses #135 12 years ago			`Indicate that *OIDCAuthenticationFilter* authentication filter should be incorporated into the security filter chain:`
issue #39 13 years ago
client documentation updates, addresses #135 12 years ago			`<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />`
oidc client README.md tweaks 13 years ago
			`Then close the HTTP security configuration:`
issue #39 13 years ago
			`</security:http>`
oidc client README.md tweaks 13 years ago
client documentation updates, addresses #135 12 years ago			`Define a custom *AuthenticationEntryPoint* to use a login URL via a bean declaration:`
issue #39 13 years ago
client documentation updates, addresses #135 12 years ago			`<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">`
			`<property name="loginFormUrl" value="/openid_connect_login" />`
issue #39 13 years ago			`</bean>`

oidc client README.md tweaks 13 years ago			`NOTE: The *loginFormUrl* value is post-pended to the URI of the application being secured to define the *redirect_uri, the value passed to the OIDC Server and, if the OIDCAuthenticationUsingChooserFilter* is configured, also the Account Chooser Application.`

			`Define an *AuthenticationManager* with a reference to a custom authentication provider, *OpenIDConnectAuthenticationProvider*:`

			`<security:authentication-manager alias="authenticationManager">`
			`<security:authentication-provider ref="openIDConnectAuthenticationProvider" />`
			`</security:authentication-manager>`

client documentation updates, addresses #135 12 years ago			`Define the custom authentication provider. Note that it does not take a UserDetailsService as input at this time but instead makes a call to the UserInfoEndpoint to fill in user information.`
issue #39 13 years ago
client documentation updates, addresses #135 12 years ago			`<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider" />`
issue #39 13 years ago
oidc client README.md tweaks 13 years ago			`### Configuring the OIDCAuthenticationFilter ###`

client documentation updates, addresses #135 12 years ago			`The *OIDCAuthenticationFilter* filter is defined with the following properties:`
oidc client README.md tweaks 13 years ago
client documentation updates, addresses #135 12 years ago			`* *authenticationManager* -- a reference to the *AuthenticationManager*`
			`* *errorRedirectURI* -- the URI of the Error redirect`

			`Additionally, it contains a set of convenience methods to pass through to parameters on the *OIDCServerConfiguration* object that defines attributes of the server that it connects to:`

			`* *issuer* -- the root issuer string of this server (required)`
			`* *authorizationEndpointUrl* -- the URL of the Authorization Endpoint (required)`
			`* *tokenEndpointUrl* -- the URL of the Token Endpoint (required)`
			`* *jwkSigningUrl* -- the URL of the JWK (public key) Endpoint for token verification`
			`* *clientId* -- the registered client identifier (required)`
			`* *clientSecret* -- the registered client secret`
			`* *userInfoUrl* -- the URL of the User Info Endpoint`
			`* *scope* -- space-separated list of scopes; the required value "openid" will always be prepended to the list given here`
oidc client README.md tweaks 13 years ago
			`Configure like so:`

issue #39 13 years ago			`<bean id="openIdConnectAuthenticationFilter"`
major refactor of client filter Collapsed filter into single class pulled server config and client config management into service classes created service for issuer (will handle account chooser) created auth request services (handle signed and unsigned requests) 12 years ago			`class="org.mitre.openid.connect.client.PlainOIDCAuthenticationFilter">`
client documentation updates, addresses #135 12 years ago			`<property name="authenticationManager" ref="authenticationManager" />`
			`<property name="errorRedirectURI" value="/login.jsp?authfail=openid" />`
			`<property name="issuer" value="http://server.example.com:8080/openid-connect-server/" />`
			`<property name="authorizationEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/auth" />`
			`<property name="tokenEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/token" />`
added documentation updates 13 years ago			`<property name="jwkSigningUrl" value="http://server.example.com:8080/openid-connect-server/jwk" />`
client documentation updates, addresses #135 12 years ago			`<property name="clientId" value="someClientId" />`
			`<property name="clientSecret" value="someClientSecret" />`
			`<property name="userInfoUrl" value="http://server.example.com:8080/open-id-connect-server/userinfo" />`
			`<property name="scope" value="profile email address phone" />`
oidc client README.md tweaks 13 years ago			`</bean>`

client documentation updates, addresses #135 12 years ago			`### Configuring the OIDCAuthenticationUsingChooserFilter ###`
oidc client README.md tweaks 13 years ago
client documentation updates, addresses #135 12 years ago			`For talking to multiple IdPs using an Account chooser, the *OIDCAuthenticationUsingChooserFilter* can be configured and used. [The Client -- Account Chooser protocol] documentation details the protocol used between the Client and an Account Chooser application.`
oidc client README.md tweaks 13 years ago
			`The *OIDCAuthenticationUsingChooserFilter* Authentication Filter has the following properties:`
issue #39 13 years ago
client documentation updates, addresses #135 12 years ago			`* *authenticationManager* -- a reference to the *AuthenticationManager*,`
			`* *errorRedirectURI* -- the URI of the Error redirect,`
oidc client README.md tweaks 13 years ago			`* *accountChooserURI* -- to denote the URI of the Account Chooser, and`
			`* *accountChooserClient* -- to identify the Client to the Account Chooser UI application.`
client documentation updates, addresses #135 12 years ago			`* *oidcServerConfigs* -- a map of *OIDCserverConfiguration*s to encapsulate the settings necesary for the client to communicate with each respective OIDC server,`
issue #39 13 years ago
oidc client README.md tweaks 13 years ago			`Each *OIDCServerConfiguration* entry in *OIDCserverConfiguration* map is keyed to the *issuer* returned from the Account Chooser Application and enumerates the following properties:`
issue #39 13 years ago
client documentation updates, addresses #135 12 years ago			`* *authenticationManager* -- a reference to the *AuthenticationManager*,`
			`* *issuer* -- the root issuer string of this server (required)`
			`* *authorizationEndpointUrl* -- the URL of the Authorization Endpoint (required)`
			`* *tokenEndpointUrl* -- the URL of the Token Endpoint (required)`
			`* *jwkSigningUrl* -- the URL of the JWK (public key) Endpoint for token verification`
			`* *clientId* -- the registered client identifier (required)`
			`* *clientSecret* -- the registered client secret`
			`* *userInfoUrl* -- the URL of the User Info Endpoint`
			`* *scope* -- space-separated list of scopes; the required value "openid" will always be prepended to the list given here`
issue #39 13 years ago
oidc client README.md tweaks 13 years ago			`Configure like so:`
issue #39 13 years ago
			`<bean id="openIdConnectAuthenticationFilter"`
mods to reflect client <-> account chooser protocol, and refactoring... 13 years ago			`class="org.mitre.openid.connect.client.OIDCAuthenticationUsingChooserFilter">`
issue #39 13 years ago			`<property name="errorRedirectURI" value="/login.jsp?authfail=openid" />`
			`<property name="authenticationManager" ref="authenticationManager" />`
client documentation updates, addresses #135 12 years ago			`<property name="accountChooserURI" value="http://sever.example.com:8080/account-chooser" />`
mods to reflect client <-> account chooser protocol, and refactoring... 13 years ago			`<property name="accountChooserClientID" value="FGWEUIASJK" />`
issue #39 13 years ago			`<property name="oidcServerConfigs">`
			`<map>`
mods to reflect client <-> account chooser protocol, and refactoring... 13 years ago			`<entry key="http://sever.example.com:8080/Fopenid-connect-server">`
issue #39 13 years ago			`<bean class="org.mitre.openid.connect.client.OIDCServerConfiguration">`
client documentation updates, addresses #135 12 years ago			`<property name="issuer" value="http://server.example.com:8080/openid-connect-server/" />`
			`<property name="authorizationEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/auth" />`
			`<property name="tokenEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/token" />`
			`<property name="jwkSigningUrl" value="http://server.example.com:8080/openid-connect-server/jwk" />`
			`<property name="clientId" value="someClientId" />`
			`<property name="clientSecret" value="someClientSecret" />`
			`<property name="userInfoUrl" value="http://server.example.com:8080/open-id-connect-server/userinfo" />`
			`<property name="scope" value="profile email address phone" />`
issue #39 13 years ago			`</bean>`
			`</entry>`
mods to reflect client <-> account chooser protocol, and refactoring... 13 years ago			`<entry key=". . .`
issue #39 13 years ago			`</map>`
			`</property>`
			`</bean>`

oidc client README.md tweaks 13 years ago			`[The Client -- Account Chooser protocol]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/account-chooser/docs/protocol.md`
client documentation updates, addresses #135 12 years ago			`[Simple Web App]: https://github.com/mitreid-connect/simple-web-app`