
![[8.5.5.4 or later]](../ng_v8554.gif)
Configuring an OpenID Connect Provider in Liberty
You can configure a Liberty server to function as an OpenID Connect Provider, or authorization server, to take advantage of web single sign-on.
About this task
You can configure a Liberty server to act as an OpenID Connect Provider by enabling the openidConnectServer-1.0 feature in Liberty, and in addition to other configuration information.
Procedure
- Add the openidConnectServer-1.0 Liberty
feature and any other needed features to the server.xml file.
The ssl-1.0 feature is also required for the openidConnectServer-1.0 feature.
<feature>openidConnectServer-1.0</feature> <feature>ssl-1.0</feature>
- Define an OAuth service provider. OpenID Connect is built
on top of the OAuth 2.0 protocol and you must configure a valid OAuth
service provider. The configuration of an OAuth service provider includes
the appropriate oauth-roles, oauthProvider,
and user registry elements. Any user that is authorized to use OpenID
Connect must also be mapped to the authenticated oauth-role.
See Defining an OAuth service provider for
more information.
The OAuth metadata is updated for OpenID Connect, and the main additions are in the client metadata. If you use the databaseStore mode for client registration, see Configuring an OpenID Connect Provider to accept client registration requests for more information. It is suggested that you follow the document to manage clients. If you use the localStore mode for client registration, you can register the scope, preAuthorizedScope, grantTypes, responseTypes, introspectTokens, and functionalUserId, as well as other attributes.
- Add an openidConnectProvider element whose oauthProviderRef
attribute references the configured oauthProvider. Each
oauthProvider can only be referenced by one openidConnectProvider,
and two or more openidConnectProvider elements cannot reference to the same
oauthProvider. The name attribute and the secret
attribute of the client element must match the client ID and the client
secret of the corresponding OpenID Connect Client. This example works with the default
Liberty server OpenID Connect Client. Note: In this example, the OP expects the client's SSL port to be set to 443.
<openidConnectProvider id="OidcConfigSample" oauthProviderRef="OAuthConfigSample" /> <oauthProvider id="OAuthConfigSample"> <localStore> <client name="client01" secret="{xor}LDo8LTor" displayname="client01" scope="openid profile email" redirect="https://server.example.com:443/oidcclient/redirect/client01"/> </localStore> </oauthProvider>
Note: A valid client must register its name, redirect, scope, and secret for authorization_code grant type. - Configure the truststore of the server to include the signer certificates of the OpenID Connect Relying Parties, or clients, that are supported. For information about keystores, see Enabling SSL communication in Liberty
- Modify the SSL configuration of the server to use the configured
truststore.
<sslDefault sslRef="DefaultSSLSettings" /> <ssl id="DefaultSSLSettings" keyStoreRef="myKeyStore" trustStoreRef="myTrustStore" /> <keyStore id="myKeyStore" password="{xor}Lz4sLCgwLTs=" type="jks" location="${server.config.dir}/resources/security/BasicKeyStore.jks" /> <keyStore id="myTrustStore" password="{xor}Lz4sLCgwLTs=" type="jks" location="${server.config.dir}/resources/security/BasicTrustStore.jks" />
OpenID Connect is configured to use the default SSL configuration that is specified by the server. Therefore, the default SSL configuration for the server must use the truststore that is configured for OpenID Connect.
The user consent form in OpenID Connect is pluggable, which allows providers to create and maintain their own consent form. Because this form is retrieved over SSL, you must configure the truststore to include the signer certificate of the server on which the consent form is hosted. If the default consent form is used and the truststore that is used for OpenID Connect is configured to be different from the keystore that is used by the Liberty server, you must import the Liberty server's signer certificate into the OpenID Connect truststore.
For more OpenID Connect Provider configuration options, see **** MISSING FILE ****.
Note: In order to use OpenID Connect, the scope attribute must include openid in the scope list.
Results
Subtopics
Using an OpenID Connect provider as an OAuth 2.0 authorization server
An OpenID Connect provider can be used as a normal OAuth 2.0 authorization provider to issue an OAuth 2.0 access_token, and support all OAuth 2.0 grant types.Configuring an OpenID Connect Provider to accept discovery requests
The discovery configuration endpoint makes information available about the capabilities that are supported by the OpenID Connect Provider (OP) server.Configuring claims returned by the UserInfo endpoint
You can configure a Liberty OpenID Connect Provider to customize the claims that are returned by the UserInfo endpoint.Configuring an OpenID Connect Provider to enable 2-legged OAuth requests
The typical OAuth flow consists of three "legs", or stages of interaction between a client and an authorization server. In 2-legged OAuth scenarios, the client uses pre-authorized scopes so that no interaction with the user is necessary, removing the need to perform one of the legs in the typical flow. Specifically, the user does not need to authenticate to the authorization server or give consent for sharing the information that is specified by the requested scopes. Instead, all requested scope parameters are considered pre-authorized and are automatically added to the request token, which is then sent to the authorization server.Configuring an OpenID Connect Provider to use the RSA-SHA256 algorithm for signing of ID tokens
You can configure an OpenID Connect Provider to use the RS256 algorithm for the signing of ID tokens.Configuring an OpenID Connect Provider to accept JSON Web Tokens (JWT) for authorization grants
You can configure a Liberty server that acts as an OpenID Connect Provider to accept a JSON Web Token in exchange for an access token.Configuring an OpenID Connect Provider to accept client registration requests
The client registration endpoint is an administrator managed service that is used to register, update, delete, and retrieve information about an OpenID Connect Relying Party that intends to use the OpenID Connect Provider. In turn, the registration process can provide information for the Relying Party to use it, including the OAuth 2.0 Client ID and Client Secret, if not specified.OpenID Connect custom forms
You can replace the default form login page for user authentication, or develop your own user consent form to collect client authorization data.Authenticating a user
OpenID Connect provider supports traditional Java™ Platform, Enterprise Edition (J2EE) FormLogin for user authentication.


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=twlp_config_oidc_op
File name: twlp_config_oidc_op.html