Training application to further understanding of OpenID Connect and Oauth2. Live demo at https://javabin-openid-demo.azurewebsites.net/.
Identity-fun reads configuration of identity providers from oauth2-providers.properties
. To make the server work, you have to create this file. You can use the provided oauth2-providers.properties.template
as a starting point.
The configuration is read anew for each request, so you can update it without restart.
- Run the main class
com.johannesbrodwall.identity.IdentityServer
- Go to http://localhost:8080
- Click the link to the login provider of your choice
- You will receive a page with a link to the relevant identity provider control panel
- Use the identity provider to create a
client_id
andclient_secret
to put inoauth2-providers.properties
- When you refresh the Identity-fun page, you will be allowed to log in with the provider
- Create Google credentials at Google Developer Console and put
google.client_id
,google.client_secret
andgoogle.redirect_uri
intooauth2-providers.properties
- Create Active Directory crentials in Azure Portal - App Registration Blade and put
azure.client_id
,azure.client_secret
andazure.redirect_uri
intooauth2-providers.properties
. - Request credentials for ID-porten and put
idporten.client_id
,idporten.client_secret
andidporten.redirect_id
inoauth2-providers.properties
. - Create a Slack application and find your crentials under Basic Information > App Credentials. Put
slack.client_id
andslack.client_secret
inoauth2-providers.properties
. Select "OAuth & Permissions" in the menu and add your Redirect URL here. Putslack.redirect_id
inoauth2-providers.properties
. See Slack documentation for details
The advantage of OpenID Connect is the fact that it's standardized and widely adopted. This means that a library or tool designed to work with, e.g. Google accounts, can easily be adopted to work with e.g. Microsoft's Active Directory or the Norwegian national ID provider ID-porten.
Different Identity providers can support different levels of trust between you and your users.
The protocol is perceived with an air of mystery by many developers, but it's surprisingly simple to master. As a developer, you owe yourself and your users to play with OpenID Connect before you ever implement a username+password.
With the new ID-porten API, you are able to manage client ids yourself. You need to purchase an organization certificate for your organization (at this moment, only Commfides provides this) and get this registered with Difi. Commfides will send you a .p12-file with the secret key and certificate (yes, this is not very good security!).
You have to go through the following steps:
- Generate a JWT with your organization as the issuer (
"iss"
) and ID-porten (https://oidc.difi.no/idporten-oidc-provider/token
) as the audience ("aud"
) and sign it with the your organization's authentication certificate - Make a POST request to
https://oidc.difi.no/idporten-oidc-provider/token
withgrant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
andassertion
as the JWT created in step 2. - You will receive a token response with an
access_token
as a JWT with the issuer and audience reversed from step 2 - Use this access_token in the
Authorization
header to API calls to Difi's Integration API. Try GET https://integrasjon.difi.no/clients to list clients and POST https://integrasjon.difi.no/clients to create a new client
See the IdPortenApiClient
client for an example.
az login
(require Azure CLI tools to be installed)mvn clean package azure-webapp:deploy -Dazure.appName=...
az webapp browse --resource-group identity-fun --name <appName>
opens a web browser on the app- Go to Azure app service cmd on
https://<appName>.scm.azurewebsites.net/DebugConsole
to check logs and update configuration file - Go to Azure Portal to restart server (search for "identity-fun" to find your resource group)