Hi there,
The last few weeks have once again brought changes to my life. First I started at a new job which obviously almost certainly means a lot of pressure due to the probation time etc. Secondly, I lost my beloved grandfather which hit me pretty hard. However, the life goes on, and one has to keep going, as long as one still has time of his own left.
Lately I have been working on single sign-on problems, and gotten a bit more familiar with the topic of OpenID connect, an additional layer built on OAuth2 protocol, and enabling authentication of users across websites and apps without them to be required to have separate credentials on each platform.
As most of the time, it really isn’t worthwhile “re-inventing the wheel”, i.e. one obviously should use existing libraries and clients (see e.g. Libraries listed on the OpenID connect web site). After having given a shot to a couple of alternatives, I decided to go for MitreID connect, a reference implementation of the OpenID protocol server and client, mainly because it was available for the target platform Spring and Spring security. One has to configure the OpenIdConnectAuthenticationFilter, and bind it to one’s own project so that it is used for the authentication.
To simplify the implementation, there is an existing client I used to get started more quickly, the simple-web-app. I first configured and modified the app to be functional with Google Sign-In. After the login was working, I proceeded with the installation of a KeyCloak server, an open source identity and access management solution. That was even easier to configure and take into use, because it supports OpenID connect out-of-the-box. Basically one has to enable and configure a client on the server with a secret and create the desired users. After this, it is possible to connect and carry out an SSO login by using the MitreID library.
The configuration of MitreID client is done in the file servlet-context.xml (only relevant parts listed). The OpenIdConnectAuthenticationFilter is specified to be used as custom pre authentication filter. Also a logout url is provided within the <http> block. Moreover, the authentication entry point and authentication manager are specified.
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
<security:http auto-config="false" use-expressions="true"
disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint"
pattern="/**">
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter"/>
<security:logout logout-success-url="/" invalidate-session="true"
logout-url="https://localhost:8080/auth/realms/sso/protocol/openid-connect/logout"/>
</security:http>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg name="loginFormUrl" value="/openid_connect_login"/>
</bean>
The actual filter configuration is shown in the following:
<!-- The authentication filter -->
<bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="issuerService" ref="staticIssuerService"/>
<property name="serverConfigurationService" ref="hybridServerConfigurationService"/>
<property name="clientConfigurationService" ref="staticClientConfigurationService"/>
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService"/>
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="openIdConnectAuthenticationProvider"/>
</security:authentication-manager>
<!-- Static issuer service, returns the same issuer for every request. -->
<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
<property name="issuer" value="https://localhost:8080/auth/realms/sso"/>
</bean>
<!-- Server configuration: determines the parameters and URLs of the server to talk to. -->
<bean class="org.mitre.openid.connect.client.service.impl.HybridServerConfigurationService" id="hybridServerConfigurationService">
<property name="servers">
<map>
<entry key="https://localhost:8080/auth/realms/sso">
<bean class="org.mitre.openid.connect.config.ServerConfiguration">
<property name="issuer" value="https://localhost:8080/auth/realms/sso"/>
<property name="authorizationEndpointUri" value="https://localhost:8080/auth/realms/sso/protocol/openid-connect/auth"/> <property name="tokenEndpointUri" value="https://localhost:8080/auth/realms/sso/protocol/openid-connect/token"/>
<property name="userInfoUri" value="https://localhost:8080/auth/realms/sso/protocol/openid-connect/userinfo"/>
<property name="jwksUri" value="https://localhost:8080/auth/realms/sso/protocol/openid-connect/certs"/>
</bean>
</entry>
</map>
</property>
</bean>
<!-- Client Configuration: Determine which client identifier and credentials are used. -->
<!-- Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis. -->
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
<property name="clients">
<map>
<entry key="https://localhost:8080/auth/realms/sso">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientId" value="shop"/>
<property name="clientSecret" value="secret"/>
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>profile</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_POST"/>
<property name="redirectUris">
<set>
<value>http://localhost:8080/simple-web-app/openid_connect_login</value>
</set>
</property>
</bean>
</entry>
</map>
</property>
</bean>
What remains, is to bind the filter to an actual project. I will probably write another posting about a sample app. That’s it for now.