OpenID-Connect-Java-Spring-.../openid-connect-client/README.md

# OpenID Connect Client

## Overview 

This is the Client, a Spring Security AuthenticationFilter, to the OpenID Connect Java Spring Server following the [OpenID Connect Standard] described protocol.

## Configuration of OIDCAuthenticationFilter

Configure the OIDCAuthenticationFilter by adding the XML to your application context security like so making changes where necessary for your deployment:

	<security:http auto-config="false" 
		use-expressions="true"
		disable-url-rewriting="true" 
		entry-point-ref="authenticationEntryPoint" 
		pattern="/**">

		<security:intercept-url 
			pattern="/somepath/**" 
			access="denyAll" />

		<security:custom-filter 
			before="PRE_AUTH_FILTER 
			ref="openIdConnectAuthenticationFilter" />
	
		<security:intercept-url 
			pattern="/**" 
			access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" /> 
		
		<security:logout />
		
		<securityLremember-me user-service-ref="myUserDetailsService"
	</security:http>
	
	<bean id="authenticationEntryPoint" 
		class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
		<property name="loginFormUrl" 
			value="/openid_connect_login"/> 
	</bean>
	
	<security:authentication-manager alias="authenticationManager" /> 

	<bean id="openIdConnectAuthenticationProvider"
		class='org.mitre.openid.connect.client.OIDCAuthenticationProvider">
		<property name="userDetaulsService" ref="myUserDetailsService"/>
	</bean>

	<bean id="openIdConnectAuthenticationFilter"
		class="org.mitre.openid.connect.client.OpenIdConnectAuthenticationFilter">
		<property name="authenticationManager"
			ref="authenticationManager" />
		<property name="errorRedirectURI" 
			value="/login.jsp?authfail=openid" />
		<property name="authorizationEndpointURI" 
			value="http://sever.example.com:8080/openid-connect-server/oauth/authorize" />
		<property name="tokenEndpointURI" 
			value="http://sever.example.com:8080/openid-connect-server/oauth/token" />
		<property name="checkIDEndpointURI" 
			value="http://sever.example.com:8080/openid-connect-server/checkid" />
		<property name="clientId" 
			value="someClientId" /> 
		<property name="clientSecret" value="someClientSecret" /> 
	</bean>

You will need to implement your own UserDetailsService and configure as the above does with the reference to *myUserDetailsService*.

## Configuration of OIDCAuthenticationUsingChooserFilter

The OIDCAuthenticationUsingChooserFilter was written in response to [Issue #39].

The Authentication Filter uses the *oidcServerConfigs* property, a map of OIDC servers; an *accountChooserURI* property to denote the URI of the Account Chooser; and an *accountChooserClient* property to identify the Client to the Account Chooser UI application like so with modifications specific to your deployment:
	
	<bean id="openIdConnectAuthenticationFilter"
		class="org.mitre.openid.connect.client.OIDCAuthenticationUsingChooserFilter">
		<property name="errorRedirectURI" value="/login.jsp?authfail=openid" /> 
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accountChooserURI"
			value="http://sever.example.com:8080/account-chooser" />
		<property name="accountChooserClientID" value="FGWEUIASJK" />
		<property name="oidcServerConfigs">
			<map>
				<entry key="http://sever.example.com:8080/Fopenid-connect-server">
					<bean class="org.mitre.openid.connect.client.OIDCServerConfiguration">
						<property name="authorizationEndpointURI" 
							value="http://sever.example.com:8080/openid-connect-server/oauth/authorize" />
						<property name="tokenEndpointURI" 
							value="http://sever.example.com:8080/openid-connect-server/oauth/token" />
						<property name="checkIDEndpointURI" 
							value="http://sever.example.com:8080/openid-connect-server/checkid" />
						<property name="clientId" 
							value="someClientId" /> 
						<property name="clientSecret" value="someClientSecret" />
					</bean>
				</entry>
				<entry key=". . .
			</map>
		</property>
	</bean>
	
Again, you will need to implement your own UserDetailsService and configure as the above does with the reference to *myUserDetailsService*.	

## Implementing your own UserDetailsService

An example UserDetailsService for the Rave Portal follows:

        package org.mitre.mpn.service.impl;
        
        import org.apache.rave.portal.model.NewUser;
        import org.apache.rave.portal.model.User;
        import org.apache.rave.portal.service.NewAccountService;
        import org.apache.rave.portal.service.UserService;
        import org.slf4j.Logger;
        import org.slf4j.LoggerFactory;
        import org.springframework.beans.factory.annotation.Autowired;
        import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
        import org.springframework.security.core.userdetails.UserDetails;
        import org.springframework.security.core.userdetails.UserDetailsService;
        import org.springframework.security.core.userdetails.UsernameNotFoundException;
        
        import org.mitre.openid.connect.client.OpenIdConnectAuthenticationToken;
        
        import org.springframework.stereotype.Service;
        
        import java.util.UUID;
        
        @Service(value = "myUserDetailsService")
        public class MyUserDetailsService implements UserDetailsService,
                AuthenticationUserDetailsService<OpenIdConnectAuthenticationToken> {
        
            private static final Logger log = LoggerFactory.getLogger(MpnUserDetailsService.class);

            private final UserService userService;
            private final NewAccountService newAccountService;

            //TODO: This is temporarily hard-coded while we wait for the concept of Page Templates to be implemented in Rave
            private static final String DEFAULT_LAYOUT_CODE = "columns_3";
        
            @Autowired
            public MyUserDetailsService(UserService userService, NewAccountService newAccountService) {
                this.userService = userService;
                this.newAccountService = newAccountService;
            }
        
            /* (non-Javadoc)
             * @see org.springframework.security.core.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)
             */
            public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
                
            	log.debug("loadUserByUsername called with: {}", username);
                
            	User user = userService.getUserByUsername(username);
                
                if (user == null) {
                    throw new UsernameNotFoundException("User with username '" + username + "' was not found!");
                }
                
                return user;
            }
        
            /* (non-Javadoc)
             * @see org.springframework.security.core.userdetails.AuthenticationUserDetailsService#loadUserDetails(org.springframework.security.core.Authentication)
             */
            public UserDetails loadUserDetails(OpenIdConnectAuthenticationToken token) throws UsernameNotFoundException {
                log.debug("loadUserDetails called with: {}", token);
        
                User user = userService.getUserByUsername(token.getUserId());
        
                if (user == null) {
                	
                    NewUser newUser = new NewUser();
                    newUser.setUsername(token.getUserId());
                    newUser.setEmail(token.getUserId() + "@example.com");
                    newUser.setPageLayout(DEFAULT_LAYOUT_CODE);
                    newUser.setPassword(UUID.randomUUID().toString());
                    
                    try {
                        newAccountService.createNewAccount(newUser);
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
        
                    user = userService.getUserByUsername(token.getName());
        
                }
                
                return user;
            }
        }


[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html "OpenID Connect Standard 1.0"
[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html#code_flow "Authorization Code Flow, OpenID Connect Standard"
[Issuer Identifier]: http://openid.net/specs/openid-connect-messages-1_0.html#issuer_identifier "Issuer Identifier"
[Issue #39]: http://github.com/jricher/OpenID-Connect-Java-Spring-Server/issues/39 "Issue #39 -- Multiple Point Client"
issue #39 2012-05-08 23:52:13 +00:00			`# OpenID Connect Client`

			`## Overview`

grammar tune up 2012-05-21 19:28:55 +00:00			`This is the Client, a Spring Security AuthenticationFilter, to the OpenID Connect Java Spring Server following the [OpenID Connect Standard] described protocol.`
issue #39 2012-05-08 23:52:13 +00:00
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`## Configuration of OIDCAuthenticationFilter`
issue #39 2012-05-08 23:52:13 +00:00
grammar tune up 2012-05-21 19:28:55 +00:00			`Configure the OIDCAuthenticationFilter by adding the XML to your application context security like so making changes where necessary for your deployment:`
issue #39 2012-05-08 23:52:13 +00:00
			`<security:http auto-config="false"`
			`use-expressions="true"`
			`disable-url-rewriting="true"`
			`entry-point-ref="authenticationEntryPoint"`
			`pattern="/**">`

			`<security:intercept-url`
			`pattern="/somepath/**"`
			`access="denyAll" />`

			`<security:custom-filter`
			`before="PRE_AUTH_FILTER`
			`ref="openIdConnectAuthenticationFilter" />`

			`<security:intercept-url`
			`pattern="/**"`
			`access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />`

			`<security:logout />`

			`<securityLremember-me user-service-ref="myUserDetailsService"`
			`</security:http>`

			`<bean id="authenticationEntryPoint"`
			`class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">`
			`<property name="loginFormUrl"`
			`value="/openid_connect_login"/>`
			`</bean>`

			`<security:authentication-manager alias="authenticationManager" />`

			`<bean id="openIdConnectAuthenticationProvider"`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`class='org.mitre.openid.connect.client.OIDCAuthenticationProvider">`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="userDetaulsService" ref="myUserDetailsService"/>`
			`</bean>`

			`<bean id="openIdConnectAuthenticationFilter"`
			`class="org.mitre.openid.connect.client.OpenIdConnectAuthenticationFilter">`
			`<property name="authenticationManager"`
			`ref="authenticationManager" />`
			`<property name="errorRedirectURI"`
			`value="/login.jsp?authfail=openid" />`
			`<property name="authorizationEndpointURI"`
readme tweaks. 2012-05-09 00:04:51 +00:00			`value="http://sever.example.com:8080/openid-connect-server/oauth/authorize" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="tokenEndpointURI"`
readme tweaks. 2012-05-09 00:04:51 +00:00			`value="http://sever.example.com:8080/openid-connect-server/oauth/token" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="checkIDEndpointURI"`
			`value="http://sever.example.com:8080/openid-connect-server/checkid" />`
			`<property name="clientId"`
			`value="someClientId" />`
			`<property name="clientSecret" value="someClientSecret" />`
			`</bean>`

			`You will need to implement your own UserDetailsService and configure as the above does with the reference to myUserDetailsService.`

mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`## Configuration of OIDCAuthenticationUsingChooserFilter`
issue #39 2012-05-08 23:52:13 +00:00
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`The OIDCAuthenticationUsingChooserFilter was written in response to [Issue #39].`
issue #39 2012-05-08 23:52:13 +00:00
grammar tune up 2012-05-21 19:28:55 +00:00			`The Authentication Filter uses the oidcServerConfigs property, a map of OIDC servers; an accountChooserURI property to denote the URI of the Account Chooser; and an accountChooserClient property to identify the Client to the Account Chooser UI application like so with modifications specific to your deployment:`
issue #39 2012-05-08 23:52:13 +00:00
			`<bean id="openIdConnectAuthenticationFilter"`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`class="org.mitre.openid.connect.client.OIDCAuthenticationUsingChooserFilter">`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="errorRedirectURI" value="/login.jsp?authfail=openid" />`
			`<property name="authenticationManager" ref="authenticationManager" />`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`<property name="accountChooserURI"`
issue #39 2012-05-08 23:52:13 +00:00			`value="http://sever.example.com:8080/account-chooser" />`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`<property name="accountChooserClientID" value="FGWEUIASJK" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="oidcServerConfigs">`
			`<map>`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`<entry key="http://sever.example.com:8080/Fopenid-connect-server">`
issue #39 2012-05-08 23:52:13 +00:00			`<bean class="org.mitre.openid.connect.client.OIDCServerConfiguration">`
			`<property name="authorizationEndpointURI"`
readme tweaks. 2012-05-09 00:04:51 +00:00			`value="http://sever.example.com:8080/openid-connect-server/oauth/authorize" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="tokenEndpointURI"`
readme tweaks. 2012-05-09 00:04:51 +00:00			`value="http://sever.example.com:8080/openid-connect-server/oauth/token" />`
issue #39 2012-05-08 23:52:13 +00:00			`<property name="checkIDEndpointURI"`
			`value="http://sever.example.com:8080/openid-connect-server/checkid" />`
			`<property name="clientId"`
			`value="someClientId" />`
			`<property name="clientSecret" value="someClientSecret" />`
			`</bean>`
			`</entry>`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`<entry key=". . .`
issue #39 2012-05-08 23:52:13 +00:00			`</map>`
			`</property>`
			`</bean>`

mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`Again, you will need to implement your own UserDetailsService and configure as the above does with the reference to myUserDetailsService.`
issue #39 2012-05-08 23:52:13 +00:00
added UserDetailsService example 2012-05-21 20:02:28 +00:00			`## Implementing your own UserDetailsService`

			`An example UserDetailsService for the Rave Portal follows:`

			`package org.mitre.mpn.service.impl;`

			`import org.apache.rave.portal.model.NewUser;`
			`import org.apache.rave.portal.model.User;`
			`import org.apache.rave.portal.service.NewAccountService;`
			`import org.apache.rave.portal.service.UserService;`
			`import org.slf4j.Logger;`
			`import org.slf4j.LoggerFactory;`
			`import org.springframework.beans.factory.annotation.Autowired;`
			`import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;`
			`import org.springframework.security.core.userdetails.UserDetails;`
			`import org.springframework.security.core.userdetails.UserDetailsService;`
			`import org.springframework.security.core.userdetails.UsernameNotFoundException;`

			`import org.mitre.openid.connect.client.OpenIdConnectAuthenticationToken;`

			`import org.springframework.stereotype.Service;`

			`import java.util.UUID;`

			`@Service(value = "myUserDetailsService")`
			`public class MyUserDetailsService implements UserDetailsService,`
			`AuthenticationUserDetailsService<OpenIdConnectAuthenticationToken> {`

			`private static final Logger log = LoggerFactory.getLogger(MpnUserDetailsService.class);`

			`private final UserService userService;`
			`private final NewAccountService newAccountService;`

			`//TODO: This is temporarily hard-coded while we wait for the concept of Page Templates to be implemented in Rave`
			`private static final String DEFAULT_LAYOUT_CODE = "columns_3";`

			`@Autowired`
			`public MyUserDetailsService(UserService userService, NewAccountService newAccountService) {`
			`this.userService = userService;`
			`this.newAccountService = newAccountService;`
			`}`

			`/* (non-Javadoc)`
			`* @see org.springframework.security.core.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)`
			`*/`
			`public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {`

			`log.debug("loadUserByUsername called with: {}", username);`

			`User user = userService.getUserByUsername(username);`

			`if (user == null) {`
			`throw new UsernameNotFoundException("User with username '" + username + "' was not found!");`
			`}`

			`return user;`
			`}`

			`/* (non-Javadoc)`
			`* @see org.springframework.security.core.userdetails.AuthenticationUserDetailsService#loadUserDetails(org.springframework.security.core.Authentication)`
			`*/`
			`public UserDetails loadUserDetails(OpenIdConnectAuthenticationToken token) throws UsernameNotFoundException {`
			`log.debug("loadUserDetails called with: {}", token);`

			`User user = userService.getUserByUsername(token.getUserId());`

			`if (user == null) {`

			`NewUser newUser = new NewUser();`
			`newUser.setUsername(token.getUserId());`
			`newUser.setEmail(token.getUserId() + "@example.com");`
			`newUser.setPageLayout(DEFAULT_LAYOUT_CODE);`
			`newUser.setPassword(UUID.randomUUID().toString());`

			`try {`
			`newAccountService.createNewAccount(newUser);`
			`} catch (Exception e) {`
			`throw new RuntimeException(e);`
			`}`

			`user = userService.getUserByUsername(token.getName());`

			`}`

			`return user;`
			`}`
			`}`


issue #39 2012-05-08 23:52:13 +00:00			`[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html "OpenID Connect Standard 1.0"`
			`[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html#code_flow "Authorization Code Flow, OpenID Connect Standard"`
mods to reflect client <-> account chooser protocol, and refactoring... 2012-05-15 22:43:45 +00:00			`[Issuer Identifier]: http://openid.net/specs/openid-connect-messages-1_0.html#issuer_identifier "Issuer Identifier"`
grammar tune up 2012-05-21 19:28:55 +00:00			`[Issue #39]: http://github.com/jricher/OpenID-Connect-Java-Spring-Server/issues/39 "Issue #39 -- Multiple Point Client"`