github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Updated Architecture (markdown)

master
jricher 2013-04-26 12:26:45 -07:00
parent 623341e8db
commit 92f187d820
1 changed files with 12 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Architecture.md

@ -2,9 +2,7 @@ This project (OIDC-JSS) is intended to be a standalone OpenID Connect Server. Ex
OIDC-JSS is built on Spring 3.1 and Spring Security 3.1, making heavy use of the OAuth2 module of Spring Security OAuth (SECOAUTH)*. Wherever sensible, we have tried to make use of existing functionality in SECOAUTH, Spring, and Spring Security. Because of this, much of the functionality of OIDC-JSS is hidden in Spring context configuration files and may not be readily apparent when examining the codebase. This architecture document will attempt to lay out which portions of the server implementation reside in our own code, and which portions are delegated to the SECOAUTH library. OIDC-JSS is built on Spring 3.1 and Spring Security 3.1, making heavy use of the OAuth2 module of Spring Security OAuth (SECOAUTH)*. Wherever sensible, we have tried to make use of existing functionality in SECOAUTH, Spring, and Spring Security. Because of this, much of the functionality of OIDC-JSS is hidden in Spring context configuration files and may not be readily apparent when examining the codebase. This architecture document will attempt to lay out which portions of the server implementation reside in our own code, and which portions are delegated to the SECOAUTH library.
In addition, we have written a JWT library (which eventually should be moved outside of this project as a standalone library of its own). We are using this library extensively throughout our code such that all of our Access Tokens and ID Tokens are (optionally signed) JWTs. We are using JPA with Eclipselink and either an internal HSQL or external MySQL databases for token, client, and user data persistence.
We are using JPA with Eclipselink and external MySQL databases for token, client, and user data persistence.
## Modules ## Modules
@ -13,7 +11,6 @@ The project uses a multi-level Maven and git repository structure. The main proj
* openid-connect-common: common classes, service and repository interfaces, and JPA-annotated model code. The JWT library is currently included here, but will eventually be moved out as a separate, external library. * openid-connect-common: common classes, service and repository interfaces, and JPA-annotated model code. The JWT library is currently included here, but will eventually be moved out as a separate, external library.
* openid-connect-server: IdP/server implementation, includes implementations of services and repositories for use by server. * openid-connect-server: IdP/server implementation, includes implementations of services and repositories for use by server.
* openid-connect-client: RP/client implementation, built around spring security filters. * openid-connect-client: RP/client implementation, built around spring security filters.
* spring-security-oauth: Git submodule that points to the Spring Security OAuth Git repository. Will be removed once a reliable milestone is reached upstream (see note above).
## Spring Configuration ## Spring Configuration
@ -53,28 +50,28 @@ The diagram below shows how all of these pieces fit together.
The OAuth2 and OpenID Connect endpoints are currently set to the following values: The OAuth2 and OpenID Connect endpoints are currently set to the following values:
* Authorization endpoint: /openidconnect/auth * Authorization endpoint: /authorize
* Token endpoint: /openidconnect/token * Token endpoint: /token
* Check ID (deprecated): /checkid * Token introspection: /introspect
* Token revocation: /revoke
* JWK: /jwk * JWK: /jwk
* SWD: /swd
* User info: /userinfo * User info: /userinfo
* Provider configuration: /.well-known/openid-configuration * Provider configuration: /.well-known/openid-configuration
These endpoints are compliant with the OpenID Connect family of specifications. For instructions regarding how to interact with these endpoints, please see the specifications at openid.net/connect. These endpoints are compliant with the OpenID Connect family of specifications. For instructions regarding how to interact with these endpoints, please see the specifications at http://openid.net/connect.
## Tokens ## Tokens
We are using the SECOAUTH TokenEndpoint, with several custom beans injected that allow us to customize the tokens we produce and consume. We are using structured JWT (JSON Web Token) Bearer tokens. These tokens can be optionally signed using the JWE / JWK specifications. We are using the SECOAUTH TokenEndpoint, with several custom beans injected that allow us to customize the tokens we produce and consume. We are using structured JWT (JSON Web Token) Bearer tokens. These tokens can be optionally signed using the JWE / JWK specifications.
The JWT library, currently in openid-connect-common, handles serialization/deserialization and manipulation of JWTs. Our implementation of the SECOAUTH OAuth2AccessToken interface, OAuth2AccessTokenEntity, implements our JWT interface and returns the serialized version of the JWT from its Value field. We use the NimbusDS JWT-JOSE library to handle all JWT and JOSE functions. Our implementation of the SECOAUTH OAuth2AccessToken interface, OAuth2AccessTokenEntity, implements our JWT interface and returns the serialized version of the JWT from its Value field.
For more information: For more information:
* [JWS](http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-04) * [JWS](http://tools.ietf.org/html/draft-ietf-jose-json-web-signature)
* [JWE](http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-04) * [JWE](http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption)
* [JWK](http://tools.ietf.org/html/draft-ietf-jose-json-web-key-04) * [JWK](http://tools.ietf.org/html/draft-ietf-jose-json-web-key)
* [JWA](http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-04) * [JWA](http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms)
* [JWT](http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-02) * [JWT](http://tools.ietf.org/html/draft-ietf-oauth-json-web-token)
## Users ## Users
UserDetailsService - used by Spring Security's AuthenticationProvider to represent the current user (loads a user from a given user id) UserDetailsService - used by Spring Security's AuthenticationProvider to represent the current user (loads a user from a given user id)
@ -96,6 +93,3 @@ For instance, to overwrite the data source configuration in the main server war
[How to set up an Overlay Project](Maven-Overlay-Project-How-To) [How to set up an Overlay Project](Maven-Overlay-Project-How-To)
***
*We are currently tracking against the development version of SECOAUTH, which is included in the build directories as a Git submodule. This submodule must be initialized before the main project can be built (see Build Instructions for details). Once SECOAUTH stabilizes to sufficient point, we will instead use a Maven dependency against a specific milestone / release version.