Updated Sample Static Configuration for using Google Authentication (markdown)
Justin Richer
parent
7f84b1637b
commit
cde46f3b95
|
|
@ -1,8 +1,6 @@
|
||||||
**Note that these instructions work only with the 1.2 development branch at this time.**
|
**Note that these instructions work only with the 1.2 development branch at this time.**
|
||||||
|
|
||||||
Google has a couple non-standard behaviors that had to be addresses as a special case, thus you can't really use all the types of server configurations, and will be limited to Hybrid or Static where Google is setup in a particular way.
|
Google does not allow dynamic client registration, but is otherwise compliant with the OpenID Connect protocol. You have to have the Google+ API enabled in your Google Developer Console order for this to work. There you create
|
||||||
|
|
||||||
You have to have the Google+ API enabled in order for this to work.
|
|
||||||
|
|
||||||
The following example is based on making the sample simple-web-app to work with a Static configuration that uses Google Authentication, one can extrapolate from this to get a Hybrid configuration working. The updates shown here were done to the `src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml` file (see [client configuration](Client-configuration)).
|
The following example is based on making the sample simple-web-app to work with a Static configuration that uses Google Authentication, one can extrapolate from this to get a Hybrid configuration working. The updates shown here were done to the `src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml` file (see [client configuration](Client-configuration)).
|
||||||
|
|
||||||
|
|
@ -12,49 +10,38 @@ The following example is based on making the sample simple-web-app to work with
|
||||||
<property name="authenticationManager" ref="authenticationManager" />
|
<property name="authenticationManager" ref="authenticationManager" />
|
||||||
|
|
||||||
<property name="issuerService" ref="staticIssuerService" />
|
<property name="issuerService" ref="staticIssuerService" />
|
||||||
<property name="serverConfigurationService" ref="staticServerConfigurationService" />
|
<property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
|
||||||
<property name="clientConfigurationService" ref="staticClientConfigurationService" />
|
<property name="clientConfigurationService" ref="staticClientConfigurationService" />
|
||||||
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
|
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
|
||||||
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
|
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
|
||||||
</bean>
|
</bean>
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Setup your issuer to be "Google". Not the effect of this on the simple client is that it will basically ignore anything you type on the entry box during Login.
|
1. Setup your issuer to be `https://accounts.google.com`. This example uses the static issuer service; note the effect of this on the simple client is that it will basically ignore anything you type on the entry box during Login. To use multiple issuers, use a different issuer service and have a selector page where one of the options is `https://accounts.google.com`.
|
||||||
|
|
||||||
``` xml
|
``` xml
|
||||||
<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
|
<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
|
||||||
<property name="issuer" value="accounts.google.com" />
|
<property name="issuer" value="https://accounts.google.com" />
|
||||||
</bean>
|
</bean>
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Configure the Google Server entry to use the OAuth2.0/OIDC endpoints Google uses. This is where the non-standard behaviors are addressed. The "issuer" is not prefixed with "https://" and thus a static configuration is needed, and Google processing does not ignore the "nonce" parameter, which required the addition of the "nonceEnabled" property.
|
1. Google's server configuration can be discovered dynamically from the issuer.
|
||||||
|
|
||||||
``` xml
|
``` xml
|
||||||
<bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService" id="staticServerConfigurationService">
|
<bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
|
||||||
<property name="servers">
|
|
||||||
<map>
|
|
||||||
<entry key="accounts.google.com">
|
|
||||||
<bean class="org.mitre.openid.connect.config.ServerConfiguration">
|
|
||||||
<property name="issuer" value="accounts.google.com" />
|
|
||||||
<property name="authorizationEndpointUri" value="https://accounts.google.com/o/oauth2/auth" />
|
|
||||||
<property name="tokenEndpointUri" value="https://accounts.google.com/o/oauth2/token" />
|
|
||||||
<property name="userInfoUri" value="https://www.googleapis.com/plus/v1/people/me/openIdConnect" />
|
|
||||||
<property name="jwksUri" value="https://www.googleapis.com/oauth2/v2/certs" />
|
|
||||||
<property name="nonceEnabled" value="false" />
|
|
||||||
</bean>
|
|
||||||
</entry>
|
|
||||||
</map>
|
|
||||||
</property>
|
|
||||||
</bean>
|
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Finally, you must configure your client to work with Google requirements. Replace anything called "my-*" with your actual values, obtained from your Google API via the Google Developers Console.
|
1. Finally, you must statically configure your client to work with Google requirements. Replace anything called "my-*" with your actual values, obtained from your Google API via the Google Developers Console.
|
||||||
|
|
||||||
``` xml
|
``` xml
|
||||||
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
|
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
|
||||||
<property name="clients">
|
<property name="clients">
|
||||||
<map>
|
<map>
|
||||||
<entry key="accounts.google.com">
|
<entry key="https://accounts.google.com">
|
||||||
<bean class="org.mitre.oauth2.model.RegisteredClient">
|
<bean class="org.mitre.oauth2.model.RegisteredClient">
|
||||||
<property name="clientName" value="my-client-name" />
|
<property name="clientName" value="my-client-name" />
|
||||||
<property name="clientId" value="my-google-client-id-from-console" />
|
<property name="clientId" value="my-google-client-id-from-console" />
|
||||||
|
<property name="clientSecret" value="my-google-client-secret-from-console" />
|
||||||
<property name="scope">
|
<property name="scope">
|
||||||
<set value-type="java.lang.String">
|
<set value-type="java.lang.String">
|
||||||
<value>openid</value>
|
<value>openid</value>
|
||||||
|
|
@ -62,7 +49,6 @@ The following example is based on making the sample simple-web-app to work with
|
||||||
<value>profile</value>
|
<value>profile</value>
|
||||||
</set>
|
</set>
|
||||||
</property>
|
</property>
|
||||||
<property name="tokenEndpointAuthMethod" value="SECRET_POST" />
|
|
||||||
<property name="redirectUris">
|
<property name="redirectUris">
|
||||||
<set>
|
<set>
|
||||||
<value>https://my-redirect-uri-setup-in-google/</value>
|
<value>https://my-redirect-uri-setup-in-google/</value>
|
||||||
|
|
@ -73,4 +59,5 @@ The following example is based on making the sample simple-web-app to work with
|
||||||
</map>
|
</map>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue