Per notes on #683, Submitting a sample configuration for the simple-web-client to work with Google OIDC.

2014-12-22 06:34:33 -08:00 · 2014-12-22 06:34:33 -08:00 · 2c6bb60df0
parent 7990284c8d
commit 2c6bb60df0
1 changed files with 72 additions and 0 deletions
--- a/Sample-Static-Configuration-for-using-Google-Authentication.md
+++ b/Sample-Static-Configuration-for-using-Google-Authentication.md
@ -0,0 +1,72 @@
+Google has a couple non-standard behaviors that had to be addresses as a special case, thus you can't really use all the types of server configurations, and will be limited to Hybrid or Static where Google is setup in a particular way. 
+
+The following example is based on making the sample simple-web-app to work with a Static configuration that uses Google Authentication, one can extrapolate from this to get a Hybrid configuration working. The updates shown here were done to the src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml file (see <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Client-configuration>).
+
+1. Set the Authentication Filter to use your configurations, in this sample Static configurations:
+    ``` xml
+    <bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
+       <property name="authenticationManager" ref="authenticationManager" />
+
+       <property name="issuerService" ref="staticIssuerService" />
+       <property name="serverConfigurationService" ref="staticServerConfigurationService" />
+       <property name="clientConfigurationService" ref="staticClientConfigurationService" />
+       <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
+       <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
+    </bean>
+    ```
+
+1. Setup your issuer to be "Google". Not the effect of this on the simple client is that it will basically ignore anything you type on the entry box during Login.
+    ``` xml
+    <bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
+       <property name="issuer" value="accounts.google.com" />
+    </bean>
+    ```
+
+1. Configure the Google Server entry to use the OAuth2.0/OIDC endpoints Google uses. This is where the non-standard behaviors are addressed. The "issuer" is not prefixed with "https://" and thus a static configuration is needed, and Google processing does not ignore the "nonce" parameter, which required the audition of the "nonceEnabled" property.
+    ``` xml
+    <bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService" id="staticServerConfigurationService">
+       <property name="servers">
+          <map>
+             <entry key="accounts.google.com">
+                <bean class="org.mitre.openid.connect.config.ServerConfiguration">
+                   <property name="issuer" value="accounts.google.com" />
+                   <property name="authorizationEndpointUri" value="https://accounts.google.com/o/oauth2/auth" />
+                   <property name="tokenEndpointUri"   value="https://accounts.google.com/o/oauth2/token" />
+                   <property name="userInfoUri" value="https://www.googleapis.com/plus/v1/people/me/openIdConnect" />
+                   <property name="jwksUri" value="https://www.googleapis.com/oauth2/v2/certs" />
+                   <property name="nonceEnabled" value="false" />
+                </bean>
+             </entry>
+          </map>
+       </property>
+    </bean>
+    ```
+
+1. Finally, you must configure your client to work with Google requirements. Replace anything called "my-*" with your actual values, obtained from your Google API via the Google Developers Console.
+    ``` xml
+    <bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
+       <property name="clients">
+          <map>
+             <entry key="accounts.google.com">
+                <bean class="org.mitre.oauth2.model.RegisteredClient">
+                   <property name="clientName" value="my-client-name" />
+                   <property name="clientId" value="my-google-client-id-from-console" />
+                   <property name="scope">
+                      <set value-type="java.lang.String">
+                         <value>openid</value>
+                         <value>email</value>
+                         <value>profile</value>
+                      </set>
+                   </property>
+                   <property name="tokenEndpointAuthMethod" value="SECRET_POST" />
+                   <property name="redirectUris">
+                      <set>
+                         <value>https://my-redirect-uri-setup-in-google/</value>
+                      </set>
+                   </property>
+                 </bean>
+             </entry>
+          </map>
+        </property>
+    </bean>
+    ```