OpenID Connect is a protocol built on top of OAuth2 for enabling standardized exchange of identity information – the specification is available here: http://openid.net/connect/
PortalProtect Ceptor can act as both an Identity Provider, and a Relying Party.
Please read the Oauth2 section here: OAuth2, and consider JWT as a specific type of Oauth2 bearer token, and OpenID Connect as a specification of the contents of the token – this is a bit simplified view, since OpenID Connect covers more than that, but it sets the scene.
The PortalProtect Ceptor Authentication plugin; JWTAuthenticationPlugin implements support for both issuing OpenID Connect access and ID tokens, and for consuming tokens, parsing and validating them and making their information available to applications protected by PortalProtectCeptor.
Usage Scenario
The following describes a typical scenario, where PortalProtect Ceptor is used as an Identity Provider, in this example; https://www.portalprotect.dk
...
Property | Value |
oauth2.clientpropertiesfile | <File to load remaining properties from> If specified, the remaining properties are loaded from this file – if not, they are instead loaded from the configuration within portalprotect-configuration.xml. |
oauth2.clients | <List of client names – separated by comma or semicolon > List the clients to load. |
The remaining properties start with: oauth2.client.xxxx | Where xxxx is the client name |
.clientid | <Client ID> Contains the client ID – in OpenID connect, the client ID must start with https:// |
.secret | <password – optionally obfuscated/encrypted> Client Secret – used when client gets issued an authorization code, and uses that code plus the client ID and client secret to access an access token and id token. |
.confidential | <boolean> If true, client_secret must be provided on all calls to token URL |
.allowedscopes | <scope name list> Lists the scopes this client is allowed to request – can be used to restrict certain clients so they can only access limited information about the user. |
.allowedredirecturis | <redirect URI list> Lists of valid redirect URIs for this client. |
.allowedlogouturis | <Logout URI list> List of valid logout URIs for this client. |
.validgranttypes | <Grant types> List of valid grant types for this client, can contain; authorization_code,implicit,hybrid,refresh_token See OpenID Connect specification for details. In short; authorization_code requires a server to use the client secret to gain an access token, impliciet allows javascript in the browser to access it, and hybrid is a combination of the two. refresh_token is required to support the offline_access scope. |
.accesstokenvalidityseconds | <Seconds – default: 60> Number of seconds that an issued access token is valid for. |
.maximumexpirationminutes | <Minutes – default: 60> Maximum expiration time of a generated ID token in minutes. |
.refreshtokenvalidityseconds | <Seconds – default: 60> Maximum refreshtoken validity seconds. |
.tokenname | <Token name> Name of token to use for this client ID – specifies the token (algorithm, keys etc.) |
.accesstokentype | <JWT or UUID> Specifies which type of access token to issue – a JWT access token contains information that can be read, where a UUID-type of access tokens is a unique ID key to the access token. The UUID is significantly smaller and does not contain any information in itself. |
...
Code Block | ||||
---|---|---|---|---|
| ||||
package dk.itp.security.authentication.oauth.data; /** * Contains known data about an OAuth2 Client. * A client is not PortalProtect as a client to someone else, but a client towards PortalProtect where we are the server */ public class ClientData { public enum AccessTokenType { JWT, UUID } /** Client ID */ public String clientID; /** Client secret */ public String clientSecret; /** Valid OAuth2 grant type; implicit, authorization_code */ public Collection<String> validGrantTypes; /** Valid scopes, e.g. email, profile, name, photo */ public Collection<String> allowedScopes; /** Allowed redirect URIs */ public Collection<String> allowedUris; /** Allowed logout URIs */ public Collection<String> allowedLogoutUris; /** Number of seconds the access token is valid for */ public int accessTokenValiditySeconds; /** Number of seconds the refresh token is valid for */ public int refreshTokenValiditySeconds; /** The maximum expiration time in minutes allowed */ public int maximumIdTokenExpirationMinutes; /** Name of token configuration to use with this client */ public String tokenname; /** Type of access token to generate */ public AccessTokenType accessTokenType; /** If true, client is confidential and must always authenticate itself */ public boolean isConfidential; /** If true, new refresh token is issued when previous refresh token is used */ public boolean issueNewRefreshTokensWhenUsed; /** If true, refresh token is invalidate on use */ public boolean invalidateRefreshTokenOnUse; /** A list of roles for this client - could be roles for an API partner */ public List<String> roles; public Map<String, Object> properties = new LinkedHashMap<>(); } |
...