You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
OpenID-Connect-Java-Spring-.../openid-connect-client/README.md

133 lines
8.0 KiB

# OpenID Connect Client #
13 years ago
## Overview ##
13 years ago
This project contains an OpenID Connect Client implemented as a Spring Security AuthenticationFilter. The client facilitates a user's authentication into the secured application to an OpenID Connect Java Spring Server following the OpenID Connect Standard protocol.
For an example of the Client configuration, see the [Simple Web App] project.
13 years ago
## Configuring ##
13 years ago
Configure the client by adding the following XML to your application context security making changes where necessary for your specific deployment.
Open and define an HTTP security configuration with a reference to a custom ***AuthenticationEntryPoint***, described below:
13 years ago
<security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**">
13 years ago
Specify the access attributes and/or filter list for a particular set of URLs needing protection:
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
Indicate that ***OIDCAuthenticationFilter*** authentication filter should be incorporated into the security filter chain:
13 years ago
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
Then close the HTTP security configuration:
13 years ago
</security:http>
Define a custom ***AuthenticationEntryPoint*** to use a login URL via a bean declaration:
13 years ago
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/openid_connect_login" />
13 years ago
</bean>
NOTE: The ***loginFormUrl*** value is post-pended to the URI of the application being secured to define the ***redirect_uri***, the value passed to the OIDC Server and, if the ***OIDCAuthenticationUsingChooserFilter*** is configured, also the Account Chooser Application.
Define an ***AuthenticationManager*** with a reference to a custom authentication provider, ***OpenIDConnectAuthenticationProvider***:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="openIDConnectAuthenticationProvider" />
</security:authentication-manager>
Define the custom authentication provider. Note that it does not take a UserDetailsService as input at this time but instead makes a call to the UserInfoEndpoint to fill in user information.
13 years ago
<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider" />
13 years ago
### Configuring the OIDCAuthenticationFilter ###
The ***OIDCAuthenticationFilter*** filter is defined with the following properties:
* ***authenticationManager*** -- a reference to the ***AuthenticationManager***
* ***errorRedirectURI*** -- the URI of the Error redirect
Additionally, it contains a set of convenience methods to pass through to parameters on the ***OIDCServerConfiguration*** object that defines attributes of the server that it connects to:
* ***issuer*** -- the root issuer string of this server (required)
* ***authorizationEndpointUrl*** -- the URL of the Authorization Endpoint (required)
* ***tokenEndpointUrl*** -- the URL of the Token Endpoint (required)
* ***jwkSigningUrl*** -- the URL of the JWK (public key) Endpoint for token verification
* ***clientId*** -- the registered client identifier (required)
* ***clientSecret*** -- the registered client secret
* ***userInfoUrl*** -- the URL of the User Info Endpoint
* ***scope*** -- space-separated list of scopes; the required value "openid" will always be prepended to the list given here
Configure like so:
13 years ago
<bean id="openIdConnectAuthenticationFilter"
class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="errorRedirectURI" value="/login.jsp?authfail=openid" />
<property name="issuer" value="http://server.example.com:8080/openid-connect-server/" />
<property name="authorizationEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/auth" />
<property name="tokenEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/token" />
<property name="jwkSigningUrl" value="http://server.example.com:8080/openid-connect-server/jwk" />
<property name="clientId" value="someClientId" />
<property name="clientSecret" value="someClientSecret" />
<property name="userInfoUrl" value="http://server.example.com:8080/open-id-connect-server/userinfo" />
<property name="scope" value="profile email address phone" />
</bean>
### Configuring the OIDCAuthenticationUsingChooserFilter ###
For talking to multiple IdPs using an Account chooser, the ***OIDCAuthenticationUsingChooserFilter*** can be configured and used. [The Client -- Account Chooser protocol] documentation details the protocol used between the Client and an Account Chooser application.
The ***OIDCAuthenticationUsingChooserFilter*** Authentication Filter has the following properties:
13 years ago
* ***authenticationManager*** -- a reference to the ***AuthenticationManager***,
* ***errorRedirectURI*** -- the URI of the Error redirect,
* ***accountChooserURI*** -- to denote the URI of the Account Chooser, and
* ***accountChooserClient*** -- to identify the Client to the Account Chooser UI application.
* ***oidcServerConfigs*** -- a map of ***OIDCserverConfiguration***s to encapsulate the settings necesary for the client to communicate with each respective OIDC server,
13 years ago
Each ***OIDCServerConfiguration*** entry in ***OIDCserverConfiguration*** map is keyed to the ***issuer*** returned from the Account Chooser Application and enumerates the following properties:
13 years ago
* ***authenticationManager*** -- a reference to the ***AuthenticationManager***,
* ***issuer*** -- the root issuer string of this server (required)
* ***authorizationEndpointUrl*** -- the URL of the Authorization Endpoint (required)
* ***tokenEndpointUrl*** -- the URL of the Token Endpoint (required)
* ***jwkSigningUrl*** -- the URL of the JWK (public key) Endpoint for token verification
* ***clientId*** -- the registered client identifier (required)
* ***clientSecret*** -- the registered client secret
* ***userInfoUrl*** -- the URL of the User Info Endpoint
* ***scope*** -- space-separated list of scopes; the required value "openid" will always be prepended to the list given here
13 years ago
Configure like so:
13 years ago
<bean id="openIdConnectAuthenticationFilter"
class="org.mitre.openid.connect.client.OIDCAuthenticationUsingChooserFilter">
13 years ago
<property name="errorRedirectURI" value="/login.jsp?authfail=openid" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="accountChooserURI" value="http://sever.example.com:8080/account-chooser" />
<property name="accountChooserClientID" value="FGWEUIASJK" />
13 years ago
<property name="oidcServerConfigs">
<map>
<entry key="http://sever.example.com:8080/Fopenid-connect-server">
13 years ago
<bean class="org.mitre.openid.connect.client.OIDCServerConfiguration">
<property name="issuer" value="http://server.example.com:8080/openid-connect-server/" />
<property name="authorizationEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/auth" />
<property name="tokenEndpointUrl" value="http://sever.example.com:8080/openid-connect-server/openidconnect/token" />
<property name="jwkSigningUrl" value="http://server.example.com:8080/openid-connect-server/jwk" />
<property name="clientId" value="someClientId" />
<property name="clientSecret" value="someClientSecret" />
<property name="userInfoUrl" value="http://server.example.com:8080/open-id-connect-server/userinfo" />
<property name="scope" value="profile email address phone" />
13 years ago
</bean>
</entry>
<entry key=". . .
13 years ago
</map>
</property>
</bean>
[The Client -- Account Chooser protocol]: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/account-chooser/docs/protocol.md
[Simple Web App]: https://github.com/mitreid-connect/simple-web-app