Identity fun
Training application to further understanding of OpenID Connect and Oauth2. Live demo at https://javabin-openid-demo.azurewebsites.net/.
Setup
Identity-fun reads configuration of identity providers from oauth2-providers.properties. To make the server work, you have to create this file. You can use the provided oauth2-providers.properties.template as a starting point.
The configuration is read anew for each request, so you can update it without restart.
- Run the main class
com.johannesbrodwall.identity.IdentityServer - Go to http://localhost:8080
- Click the link to the login provider of your choice
- You will receive a page with a link to the relevant identity provider control panel
- Use the identity provider to create a
client_idandclient_secretto put inoauth2-providers.properties - When you refresh the Identity-fun page, you will be allowed to log in with the provider
Identity provider details
- Create Google credentials at Google Developer Console and put
google.client_id,google.client_secretandgoogle.redirect_uriintooauth2-providers.properties - Create Active Directory crentials in Azure Portal - App Registration Blade and put
azure.client_id,azure.client_secretandazure.redirect_uriintooauth2-providers.properties. - Request credentials for ID-porten and put
idporten.client_id,idporten.client_secretandidporten.redirect_idinoauth2-providers.properties. - Create a Slack application and find your crentials under Basic Information > App Credentials. Put
slack.client_idandslack.client_secretinoauth2-providers.properties. Select "OAuth & Permissions" in the menu and add your Redirect URL here. Putslack.redirect_idinoauth2-providers.properties. See Slack documentation for details
Why should you care about OpenID Connect?
The advantage of OpenID Connect is the fact that it's standardized and widely adopted. This means that a library or tool designed to work with, e.g. Google accounts, can easily be adopted to work with e.g. Microsoft's Active Directory or the Norwegian national ID provider ID-porten.
Different Identity providers can support different levels of trust between you and your users.
The protocol is perceived with an air of mystery by many developers, but it's surprisingly simple to master. As a developer, you owe yourself and your users to play with OpenID Connect before you ever implement a username+password.
More about ID-porten
With the new ID-porten API, you are able to manage client ids yourself. You need to purchase an organization certificate for your organization (at this moment, only Commfides provides this) and get this registered with Difi. Commfides will send you a .p12-file with the secret key and certificate (yes, this is not very good security!).
You have to go through the following steps:
- Generate a JWT with your organization as the issuer (
"iss") and ID-porten (https://oidc.difi.no/idporten-oidc-provider/token) as the audience ("aud") and sign it with the your organization's authentication certificate - Make a POST request to
https://oidc.difi.no/idporten-oidc-provider/tokenwithgrant_type=urn:ietf:params:oauth:grant-type:jwt-bearerandassertionas the JWT created in step 2. - You will receive a token response with an
access_tokenas a JWT with the issuer and audience reversed from step 2 - Use this access_token in the
Authorizationheader to API calls to Difi's Integration API. Try GET https://integrasjon.difi.no/clients to list clients and POST https://integrasjon.difi.no/clients to create a new client
See the IdPortenApiClient client for an example.
Deployment
az login(require Azure CLI tools to be installed)mvn clean package azure-webapp:deploy -Dazure.appName=...az webapp browse --resource-group identity-fun --name <appName>opens a web browser on the app- Go to Azure app service cmd on
https://<appName>.scm.azurewebsites.net/DebugConsoleto check logs and update configuration file - Go to Azure Portal to restart server (search for "identity-fun" to find your resource group)