# OpenID Connect Client # ## Overview ## This project contains an OpenID Connect Client implemented as a Spring Security AuthenticationFilter. The client facilitates a user's authentication into the secured application to an OpenID Connect Java Spring Server following the OpenID Connect Standard protocol. For an example of the Client configuration, see the [Simple Web App] project. ## Configuring ## Configure the client by adding the following XML to your application context security making changes where necessary for your specific deployment. Open and define an HTTP security configuration with a reference to a custom ***AuthenticationEntryPoint***, described below: Specify the access attributes and/or filter list for a particular set of URLs needing protection: Indicate that ***OIDCAuthenticationFilter*** authentication filter should be incorporated into the security filter chain: Then close the HTTP security configuration: Define a custom ***AuthenticationEntryPoint*** to use a login URL via a bean declaration: NOTE: The ***loginFormUrl*** value is post-pended to the URI of the application being secured to define the ***redirect_uri***, the value passed to the OIDC Server and, if the ***OIDCAuthenticationUsingChooserFilter*** is configured, also the Account Chooser Application. Define an ***AuthenticationManager*** with a reference to a custom authentication provider, ***OpenIDConnectAuthenticationProvider***: Define the custom authentication provider. Note that it does not take a UserDetailsService as input at this time but instead makes a call to the UserInfoEndpoint to fill in user information. ### Configuring the OIDCAuthenticationFilter ### The ***OIDCAuthenticationFilter*** filter is defined with the following properties: * ***authenticationManager*** -- a reference to the ***AuthenticationManager*** * ***errorRedirectURI*** -- the URI of the Error redirect Additionally, it contains a set of convenience methods to pass through to parameters on the ***OIDCServerConfiguration*** object that defines attributes of the server that it connects to: * ***issuer*** -- the root issuer string of this server (required) * ***authorizationEndpointUrl*** -- the URL of the Authorization Endpoint (required) * ***tokenEndpointUrl*** -- the URL of the Token Endpoint (required) * ***jwkSigningUrl*** -- the URL of the JWK (public key) Endpoint for token verification * ***clientId*** -- the registered client identifier (required) * ***clientSecret*** -- the registered client secret * ***userInfoUrl*** -- the URL of the User Info Endpoint * ***scope*** -- space-separated list of scopes; the required value "openid" will always be prepended to the list given here Configure like so: ### Configuring the OIDCAuthenticationUsingChooserFilter ### For talking to multiple IdPs using an Account chooser, the ***OIDCAuthenticationUsingChooserFilter*** can be configured and used. [The Client -- Account Chooser protocol] documentation details the protocol used between the Client and an Account Chooser application. The ***OIDCAuthenticationUsingChooserFilter*** Authentication Filter has the following properties: * ***authenticationManager*** -- a reference to the ***AuthenticationManager***, * ***errorRedirectURI*** -- the URI of the Error redirect, * ***accountChooserURI*** -- to denote the URI of the Account Chooser, and * ***accountChooserClient*** -- to identify the Client to the Account Chooser UI application. * ***oidcServerConfigs*** -- a map of ***OIDCserverConfiguration***s to encapsulate the settings necesary for the client to communicate with each respective OIDC server, Each ***OIDCServerConfiguration*** entry in ***OIDCserverConfiguration*** map is keyed to the ***issuer*** returned from the Account Chooser Application and enumerates the following properties: * ***authenticationManager*** -- a reference to the ***AuthenticationManager***, * ***issuer*** -- the root issuer string of this server (required) * ***authorizationEndpointUrl*** -- the URL of the Authorization Endpoint (required) * ***tokenEndpointUrl*** -- the URL of the Token Endpoint (required) * ***jwkSigningUrl*** -- the URL of the JWK (public key) Endpoint for token verification * ***clientId*** -- the registered client identifier (required) * ***clientSecret*** -- the registered client secret * ***userInfoUrl*** -- the URL of the User Info Endpoint * ***scope*** -- space-separated list of scopes; the required value "openid" will always be prepended to the list given here Configure like so: