Liberty Repository[8.5.5.4 or later]
This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

Configuring an OpenID Connect Provider in Liberty

You can configure a Liberty server to function as an OpenID Connect Provider, or authorization server, to take advantage of web single sign-on.

About this task

You can configure a Liberty server to act as an OpenID Connect Provider by enabling the openidConnectServer-1.0 feature in Liberty, and in addition to other configuration information.

Procedure

  1. Add the openidConnectServer-1.0 Liberty feature and any other needed features to the server.xml file. The ssl-1.0 feature is also required for the openidConnectServer-1.0 feature.
    <feature>openidConnectServer-1.0</feature>
    <feature>ssl-1.0</feature>
  2. Define an OAuth service provider. OpenID Connect is built on top of the OAuth 2.0 protocol and you must configure a valid OAuth service provider. The configuration of an OAuth service provider includes the appropriate oauth-roles, oauthProvider, and user registry elements. Any user that is authorized to use OpenID Connect must also be mapped to the authenticated oauth-role. See Defining an OAuth service provider for more information.

    The OAuth metadata is updated for OpenID Connect, and the main additions are in the client metadata. If you use the databaseStore mode for client registration, see Configuring an OpenID Connect Provider to accept client registration requests for more information. It is suggested that you follow the document to manage clients. If you use the localStore mode for client registration, you can register the scope, preAuthorizedScope, grantTypes, responseTypes, introspectTokens, and functionalUserId, as well as other attributes.

  3. Add an openidConnectProvider element whose oauthProviderRef attribute references the configured oauthProvider. Each oauthProvider can only be referenced by one openidConnectProvider, and two or more openidConnectProvider elements cannot reference to the same oauthProvider. The name attribute and the secret attribute of the client element must match the client ID and the client secret of the corresponding OpenID Connect Client. This example works with the default Liberty server OpenID Connect Client.
    Note: In this example, the OP expects the client's SSL port to be set to 443.
    <openidConnectProvider id="OidcConfigSample" oauthProviderRef="OAuthConfigSample" /> 
    
    <oauthProvider id="OAuthConfigSample"> 
    <localStore> 
    <client name="client01" secret="{xor}LDo8LTor" 
    displayname="client01" 
    scope="openid profile email" 
    redirect="https://server.example.com:443/oidcclient/redirect/client01"/> 
    </localStore> 
    </oauthProvider>
    Note: A valid client must register its name, redirect, scope, and secret for authorization_code grant type.
  4. Configure the truststore of the server to include the signer certificates of the OpenID Connect Relying Parties, or clients, that are supported. For information about keystores, see Enabling SSL communication in Liberty
  5. Modify the SSL configuration of the server to use the configured truststore.
    <sslDefault sslRef="DefaultSSLSettings" /> 	
    <ssl id="DefaultSSLSettings" keyStoreRef="myKeyStore" trustStoreRef="myTrustStore" /> 	
    <keyStore id="myKeyStore" password="{xor}Lz4sLCgwLTs=" type="jks" location="${server.config.dir}/resources/security/BasicKeyStore.jks" /> 
    <keyStore id="myTrustStore" password="{xor}Lz4sLCgwLTs=" type="jks" location="${server.config.dir}/resources/security/BasicTrustStore.jks" />

    OpenID Connect is configured to use the default SSL configuration that is specified by the server. Therefore, the default SSL configuration for the server must use the truststore that is configured for OpenID Connect.

    The user consent form in OpenID Connect is pluggable, which allows providers to create and maintain their own consent form. Because this form is retrieved over SSL, you must configure the truststore to include the signer certificate of the server on which the consent form is hosted. If the default consent form is used and the truststore that is used for OpenID Connect is configured to be different from the keystore that is used by the Liberty server, you must import the Liberty server's signer certificate into the OpenID Connect truststore.

    For more OpenID Connect Provider configuration options, see **** MISSING FILE ****.

    Note: In order to use OpenID Connect, the scope attribute must include openid in the scope list.

Results

You have now completed the minimum configuration that is required to configure a Liberty server as an OpenID Connect Provider capable of communicating with other Liberty servers configured as OpenID Connect Clients.

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=twlp_config_oidc_op
File name: twlp_config_oidc_op.html