Configure an OpenID Connect Provider in the Liberty profile

We can configure a Liberty profile server to function as an OpenID Connect Provider, or authorization server, to take advantage of web single sign-on.

We can configure a Liberty profile server to act as an OpenID Connect Provider by enabling the openidConnectServer-1.0 feature of the Liberty profile, in addition to other configuration information.

1. Add the openidConnectServer-1.0 Liberty feature and any other needed features to server.xml.

   The ssl-1.0 feature is also required for the openidConnectServer-1.0 feature.

   <feature>openidConnectServer-1.0</feature> <feature>ssl-1.0</feature>

2. Define an OAuth service provider.

   The configuration of an OAuth service provider includes the appropriate oauth-roles, oauthProvider, and user registry elements. Any user that is authorized to use OpenID Connect must also be mapped to the authenticated oauth-role.

   The OAuth metadata is updated for OpenID Connect, and the main additions are in the client metadata. We can use databaseStore mode to configure an OpenID Connect Provider to accept client registration requests. If we use the localStore mode for client registration, we can register the scope, preAuthorizedScope, grantTypes, responseTypes, introspectTokens, and functionalUserId, as well as other attributes.

3. Add an openidConnectProvider element whose oauthProviderRef attribute references the configured oauthProvider.

   Each oauthProvider can only be referenced by one openidConnectProvider, and two or more openidConnectProvider elements cannot reference to the same oauthProvider. The name attribute and the secret attribute of the client element must match the client ID and the client secret of the corresponding OpenID Connect Client. This example works with the default Liberty profile server OpenID Connect Client.

   In this example, the OP expects the client's SSL port to be set to 443.

   <openidConnectProvider id="OidcConfigSample" oauthProviderRef="OAuthConfigSample" /> 
   
   <oauthProvider id="OAuthConfigSample"> 
   
       <localStore> 
   
       <client name="client01" 
              secret="{xor}LDo8LTor" 
              displayname="client01" 
              scope="openid profile email" 
              redirect="https://server.example.com:443/oidcclient/redirect/client01"/> 
   
       </localStore> 
   </oauthProvider>
   

   A valid client must register its name, redirect, scope, and secret for authorization_code grant type.

4. Configure the truststore of the server to include the signer certificates of the OpenID Connect Relying Parties, or clients, supported.

5. Modify the SSL configuration of the server to use the configured truststore.

   <sslDefault sslRef="DefaultSSLSettings" /> 
   
   <ssl id="DefaultSSLSettings" 
       keyStoreRef="myKeyStore" 
       trustStoreRef="myTrustStore" /> 
   
   <keyStore id="myKeyStore" 
           password="{xor}Lz4sLCgwLTs=" 
           type="jks" 
           location="${server.config.dir}/resources/security/BasicKeyStore.jks" /> 
   
   <keyStore id="myTrustStore" 
            password="{xor}Lz4sLCgwLTs=" 
            type="jks" location="${server.config.dir}/resources/security/BasicTrustStore.jks" />
   

   OpenID Connect is configured to use the default SSL configuration specified by the server. Therefore, the default SSL configuration for the server must use the truststore configured for OpenID Connect.

   The user consent form in OpenID Connect is pluggable, which allows providers to create and maintain their own consent form. Because this form is retrieved over SSL, configure the truststore to include the signer certificate of the server on which the consent form is hosted. If the default consent form is used and the truststore used for OpenID Connect is configured to be different from the keystore used by the Liberty profile server, we must import the Liberty profile server's signer certificate into the OpenID Connect truststore.

   To use OpenID Connect, the scope attribute must include openid in the scope list.

Results

We have now completed the minimum configuration that is required to configure a Liberty profile server as an OpenID Connect Provider capable of communicating with other Liberty profile servers configured as OpenID Connect Clients.

Subtopics

• Use an OpenID Connect provider as an OAuth 2.0 authorization server
• Configure an OpenID Connect Provider to accept discovery requests
• Configure claims returned by the UserInfo endpoint
• Configure an OpenID Connect Provider to enable 2-legged OAuth requests
• Configure an OpenID Connect Provider to use the RSA-SHA256 algorithm for signing of ID tokens
• Configure an OpenID Connect Provider to accept JSON Web Tokens (JWT) for authorization grants
• Configure an OpenID Connect Provider to accept client registration requests
• OpenID Connect custom forms
• Authenticating a user

Parent topic:

Use OpenID Connect

Concepts:

OpenID Connect
Authentication
OAuth
Configure an OpenID Connect Client
Defining an OAuth service provider
Enable SSL communication