Configure an OpenID Connect Client in the Liberty profile

We can configure a Liberty profile server to function as an OpenID Connect Client, or Relying Party, to take advantage of web single sign-on and to use an OpenID Connect Provider as an identity provider.

We can configure a Liberty profile server to act as an OpenID Connect Client by enabling the openidConnectClient-1.0 feature of the Liberty profile, in addition to other configuration information.

1. Add the openidConnectClient-1.0 Liberty feature and any other needed features to server.xml. The ssl-1.0 feature is also required for the openidConnectClient-1.0 feature. Add the following element declaration inside the featureManager element in server.xml:

   <feature>openidConnectClient-1.0</feature> 
   <feature>ssl-1.0</feature>

2. Configure an openidConnectClient element. The following is an example of a minimal configuration that works with the default Liberty profile server OpenID Connect Provider.

   The client must have an appropriately configured application available at the given URL pattern that can handle redirect requests from an OpenID Connect Provider. This URL must also precisely match the redirect URL registered for the client with the OP.

   In this example, the client expects the OP's SSL port to be set to 443.

   <openidConnectClient id="client01"   
       clientId="client01"   
       clientSecret="{xor}LDo8LTor"   
       authorizationEndpointUrl="https://server.example.com:443/oidc/endpoint/OidcConfigSample/authorize"   
       tokenEndpointUrl="https://server.example.com:443/oidc/endpoint/OidcConfigSample/token"> 
   </openidConnectClient>

   In this sample minimal configuration, the following default values are assumed:

   • scope=openid profile: The scope of openid is required, and we can use the scope attribute to edit required scopes. For example, we can change the required scope to openid profile email.

   • This RP registers its redirect URL with the OP as https://<host name>:<ssl port>/oidcclient/redirect/client01, where both the host name and ssl port are automatically resolved, and client01 is the id of the openidConnectClient configuration element. If there is a proxy in front of the RP, we can override the host name and port with the attribute redirectToRPHostAndPort, and set redirectToRPHostAndPort to https://<host name>:<ssl port>.

3. Configure a user registry. User identities that are returned by the OP are not mapped to a registry user by default, so no users are required to be configured in the registry. However, if the mapIdentityToRegistryUser attribute of the openidConnectClient element is set to true, there must be a user entry for the appropriate identity that is returned from the OP in order for authentication and authorization to succeed. For more information about configuring a user registry, see Configure a user registry .

4. Configure the truststore of the server to include the signer certificates of the OpenID Connect Providers supported. For information about keystores, see Enable SSL communication .

5. Modify the SSL configuration of the server to use the configured truststore.

   <sslDefault sslRef="DefaultSSLSettings" /> 
   <ssl id="DefaultSSLSettings" keyStoreRef="myKeyStore" trustStoreRef="myTrustStore" /> 
   <keyStore id="myKeyStore" password="{xor}EzY9Oi0rJg==" type="jks" location="${server.config.dir}/resources/security/BasicKeyStore.jks" /> 
   <keyStore id="myTrustStore" password="{xor}EzY9Oi0rJg==" type="jks" location="${server.config.dir}/resources/security/BasicTrustStore.jks" />

   OpenID Connect is configured to use the default SSL configuration specified by the server. Therefore, the default SSL configuration for the server must use the truststore configured for OpenID Connect.

   For more OpenID Connect Client configuration options, see Configuration elements in server.xml.

Results

We have now established the minimum configuration that is required to configure a Liberty profile server as an OpenID Connect Client capable of communicating with other Liberty profile servers configured as OpenID Connect Providers.

Subtopics

• Invoking the Authorization Endpoint for OpenID Connect
  In OpenID Connect the authorization endpoint handles authentication and authorization of a user.

• Invoking the Token Endpoint for OpenID Connect
  In the OpenID Connect Authorization Code Flow, the token endpoint is used by a client to obtain an ID token, access token, and refresh token.

• Invoking the Introspection Endpoint for OpenID Connect
  The introspection endpoint enables holders of access tokens to request a set of metadata about an access token from the OpenID Connect Provider that issued the access token. The access token must be one that was obtained through OpenID Connect or OAuth authentication.

• Invoking the coverage map service
  The coverage map service is an unprotected endpoint that returns a JavaScript Object Notation (JSON) array of slash-terminated URI prefixes. The array of URI prefixes designates which web contexts are part of a Single Sign On (SSO) group, thus enabling clients to know whether a URI destination is deemed safe to send an access token.

• Invoking the UserInfo Endpoint for OpenID Connect
  The UserInfo endpoint returns claims about a user that is authenticated with OpenID Connect authentication.

Parent topic:

Use OpenID Connect

Concepts:

OpenID Connect

Authentication

OAuth

Tasks:

Configure an OpenID Connect Provider

Configure a user registry

Enable SSL communication

Configure an OpenID Connect Provider to use the RSA-SHA256 algorithm for signing of ID tokens