2012-06-27 20:09:05 +00:00
# OpenID Connect Client #
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
## Overview ##
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
You are reading the documentation for the OIDC Client implemented as a Spring Security AuthenticationFilter. The client facilitates a user's authentication into the secured application to an OpenID Connect Java Spring Server following the [OpenID Connect Standard] described protocol.
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
## Configuring ##
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
Configure the client by adding the following XML to your application context security making changes where necessary for your specific deployment.
Open and define an HTTP security configuration with a reference to a bean defined custom ** *AuthenticationEntryPoint***:
2012-05-08 23:52:13 +00:00
< security:http auto-config = "false"
use-expressions="true"
disable-url-rewriting="true"
entry-point-ref="authenticationEntryPoint"
pattern="/**">
2012-06-27 20:09:05 +00:00
Specify the access attributes and/or filter list for a particular set of URLs needing protection:
2012-05-08 23:52:13 +00:00
< security:intercept-url
2012-06-27 20:09:05 +00:00
pattern="/**"
access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
Indicate that ** *OpenIdConnectAuthenticationFilter*** authentication filter should be incorporated into the security filter chain:
2012-05-08 23:52:13 +00:00
< security:custom-filter
before="PRE_AUTH_FILTER
ref="openIdConnectAuthenticationFilter" />
2012-06-27 20:09:05 +00:00
Set up remember-me authentication referencing the yet to be defined ** *UserDetailsService***:
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
< security:remember-me user-service-ref = "myUserDetailsService"
NOTE: See the last section as how to implement your own ** *UserDetailsService*** necessary to complete authentication.
Then close the HTTP security configuration:
2012-05-08 23:52:13 +00:00
< / security:http >
2012-06-27 20:09:05 +00:00
Define a custom ** *AuthenticationEntryPoint*** via a bean declaration:
2012-05-08 23:52:13 +00:00
< bean id = "authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
< property name = "loginFormUrl"
value="/openid_connect_login"/>
< / bean >
2012-06-27 20:09:05 +00:00
NOTE: The ** *loginFormUrl*** value is post-pended to the URI of the application being secured to define the ** *redirect_uri***, the value passed to the OIDC Server and, if the ** *OIDCAuthenticationUsingChooserFilter*** is configured, also the Account Chooser Application.
Define an ** *AuthenticationManager*** with a reference to a custom authentication provider, ** *OpenIDConnectAuthenticationProvider***:
< security:authentication-manager alias = "authenticationManager" >
< security:authentication-provider ref = "openIDConnectAuthenticationProvider" / >
< / security:authentication-manager >
Define the custom authentication provider referencing the your yet to be defined implementation of a ** *UserDetailsService***:
2012-05-08 23:52:13 +00:00
< bean id = "openIdConnectAuthenticationProvider"
2012-05-15 22:43:45 +00:00
class='org.mitre.openid.connect.client.OIDCAuthenticationProvider">
2012-06-27 20:09:05 +00:00
< property name = "userDetailsService" ref = "myUserDetailsService" / >
2012-05-08 23:52:13 +00:00
< / bean >
2012-06-27 20:09:05 +00:00
### Configuring the OIDCAuthenticationFilter ###
The ** *OpenIdConnectAuthenticationFilter*** filter is defined with the following properties:
* ***authenticationManager*** -- a reference to the ** *AuthenticationManager***,
* ***errorRedirectURI*** -- the URI of the Error redirect,
* ** *authorizationEndpointURI*** -- the URI of the Authorization Endpoint,
* ** *tokenEndpointURI*** -- the URI of the Token Endpoint,
* ** *clientId*** -- the registered client identifier, and
* ** *clientSecret*** -- the registered client secret.
Configure like so:
2012-05-08 23:52:13 +00:00
< bean id = "openIdConnectAuthenticationFilter"
class="org.mitre.openid.connect.client.OpenIdConnectAuthenticationFilter">
< property name = "authenticationManager"
ref="authenticationManager" />
< property name = "errorRedirectURI"
value="/login.jsp?authfail=openid" />
< property name = "authorizationEndpointURI"
2012-07-02 18:18:25 +00:00
value="http://sever.example.com:8080/openid-connect-server/openidconnect/auth" />
2012-05-08 23:52:13 +00:00
< property name = "tokenEndpointURI"
2012-07-02 18:18:25 +00:00
value="http://sever.example.com:8080/openid-connect-server/openidconnect/token" />
2012-05-08 23:52:13 +00:00
< property name = "clientId"
value="someClientId" />
< property name = "clientSecret" value = "someClientSecret" / >
2012-07-02 18:18:25 +00:00
< property name = "issuer" value = "http://server.example.com:8080/openid-connect-server/" / >
< property name = "jwkSigningUrl" value = "http://server.example.com:8080/openid-connect-server/jwk" / >
2012-06-27 20:09:05 +00:00
< / bean >
NOTE: Again, you will need your own implementation of a ** *UserDetailsService*** specific to your deployment. See the last section of this document.
### Or Alternatively, Configuring the OIDCAuthenticationUsingChooserFilter ###
Alternatively, the ** *OIDCAuthenticationUsingChooserFilter*** can be configured and used. It was written in response to [Issue #39 ]. [The Client -- Account Chooser protocol] documentation details the protocol used between the Client and an Account Chooser application.
The ** *OIDCAuthenticationUsingChooserFilter*** Authentication Filter has the following properties:
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
* ** *oidcServerConfigs*** -- a map of ** *OIDCserverConfiguration***s to encapsulate the settings necesary for the client to communicate with each respective OIDC server,
* ** *accountChooserURI*** -- to denote the URI of the Account Chooser, and
* ** *accountChooserClient*** -- to identify the Client to the Account Chooser UI application.
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
Each ** *OIDCServerConfiguration*** entry in ** *OIDCserverConfiguration*** map is keyed to the ** *issuer*** returned from the Account Chooser Application and enumerates the following properties:
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
* ** *authorizationEndpointURI*** -- the URI of the Authorization Endpoint,
* ** *tokenEndpointURI*** -- the URI of the Token Endpoint,
* ** *clientId*** -- the registered client identifier, and
* ** *clientSecret*** -- the registered client secret.
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
Configure like so:
2012-05-08 23:52:13 +00:00
< bean id = "openIdConnectAuthenticationFilter"
2012-05-15 22:43:45 +00:00
class="org.mitre.openid.connect.client.OIDCAuthenticationUsingChooserFilter">
2012-05-08 23:52:13 +00:00
< property name = "errorRedirectURI" value = "/login.jsp?authfail=openid" / >
< property name = "authenticationManager" ref = "authenticationManager" / >
2012-05-15 22:43:45 +00:00
< property name = "accountChooserURI"
2012-05-08 23:52:13 +00:00
value="http://sever.example.com:8080/account-chooser" />
2012-05-15 22:43:45 +00:00
< property name = "accountChooserClientID" value = "FGWEUIASJK" / >
2012-05-08 23:52:13 +00:00
< property name = "oidcServerConfigs" >
< map >
2012-05-15 22:43:45 +00:00
< entry key = "http://sever.example.com:8080/Fopenid-connect-server" >
2012-05-08 23:52:13 +00:00
< bean class = "org.mitre.openid.connect.client.OIDCServerConfiguration" >
< property name = "authorizationEndpointURI"
2012-05-09 00:04:51 +00:00
value="http://sever.example.com:8080/openid-connect-server/oauth/authorize" />
2012-05-08 23:52:13 +00:00
< property name = "tokenEndpointURI"
2012-05-09 00:04:51 +00:00
value="http://sever.example.com:8080/openid-connect-server/oauth/token" />
2012-05-08 23:52:13 +00:00
< property name = "clientId"
value="someClientId" />
< property name = "clientSecret" value = "someClientSecret" / >
< / bean >
< / entry >
2012-05-15 22:43:45 +00:00
< entry key = ". . .
2012-05-08 23:52:13 +00:00
< / map >
< / property >
< / bean >
2012-06-27 20:09:05 +00:00
Again, you will need your own implementation of a ** *UserDetailsService***. See the next section.
## Implementing your own UserDetailsService ##
2012-05-08 23:52:13 +00:00
2012-06-27 20:09:05 +00:00
You need to implement your own ** *UserDetailsService*** to complete the authentication.
2012-05-21 20:02:28 +00:00
2012-06-27 20:09:05 +00:00
An example ** *UserDetailsService*** for the Rave Portal follows:
2012-05-21 20:02:28 +00:00
package org.mitre.mpn.service.impl;
import org.apache.rave.portal.model.NewUser;
import org.apache.rave.portal.model.User;
import org.apache.rave.portal.service.NewAccountService;
import org.apache.rave.portal.service.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.mitre.openid.connect.client.OpenIdConnectAuthenticationToken;
import org.springframework.stereotype.Service;
import java.util.UUID;
@Service (value = "myUserDetailsService")
public class MyUserDetailsService implements UserDetailsService,
AuthenticationUserDetailsService< OpenIdConnectAuthenticationToken > {
private static final Logger log = LoggerFactory.getLogger(MpnUserDetailsService.class);
private final UserService userService;
private final NewAccountService newAccountService;
//TODO: This is temporarily hard-coded while we wait for the concept of Page Templates to be implemented in Rave
private static final String DEFAULT_LAYOUT_CODE = "columns_3";
@Autowired
public MyUserDetailsService(UserService userService, NewAccountService newAccountService) {
this.userService = userService;
this.newAccountService = newAccountService;
}
/* (non-Javadoc)
* @see org.springframework.security.core.userdetails.UserDetailsService#loadUserByUsername(java.lang.String)
*/
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
log.debug("loadUserByUsername called with: {}", username);
User user = userService.getUserByUsername(username);
if (user == null) {
throw new UsernameNotFoundException("User with username '" + username + "' was not found!");
}
return user;
}
/* (non-Javadoc)
* @see org.springframework.security.core.userdetails.AuthenticationUserDetailsService#loadUserDetails(org.springframework.security.core.Authentication)
*/
public UserDetails loadUserDetails(OpenIdConnectAuthenticationToken token) throws UsernameNotFoundException {
log.debug("loadUserDetails called with: {}", token);
User user = userService.getUserByUsername(token.getUserId());
if (user == null) {
NewUser newUser = new NewUser();
newUser.setUsername(token.getUserId());
newUser.setEmail(token.getUserId() + "@example.com");
newUser.setPageLayout(DEFAULT_LAYOUT_CODE);
newUser.setPassword(UUID.randomUUID().toString());
try {
newAccountService.createNewAccount(newUser);
} catch (Exception e) {
throw new RuntimeException(e);
}
user = userService.getUserByUsername(token.getName());
}
return user;
}
}
2012-05-08 23:52:13 +00:00
[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html "OpenID Connect Standard 1.0"
[OpenID Connect Standard]: http://openid.net/specs/openid-connect-standard-1_0.html#code_flow "Authorization Code Flow, OpenID Connect Standard"
2012-05-15 22:43:45 +00:00
[Issuer Identifier]: http://openid.net/specs/openid-connect-messages-1_0.html#issuer_identifier "Issuer Identifier"
2012-05-21 19:28:55 +00:00
[Issue #39 ]: http://github.com/jricher/OpenID-Connect-Java-Spring-Server/issues/39 "Issue #39 -- Multiple Point Client"
2012-06-27 20:09:05 +00:00
[The Client -- Account Chooser protocol]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/account-chooser/docs/protocol.md