Skip to end of metadata
Go to start of metadata

The OpenIG "OAuth2ClientFilter" allows you to set up multiple OAuth 2.0 authorization servers & OpenID Providers.

Which you use depends on whether the identity service supports OAuth 2.0 or OpenID Connect 1.0. OpenID Providers can be easier to configure, as they publish their configuration at a URL ending in .well-known/openid-configuration.

For OpenIG 3.0.0 the reference documentation regarding the configuration is under http://docs.forgerock.org/en/openig/3.0.0/reference/#OAuth2ResourceServerFilter.

OpenAM can act as an OpenID Provider. The following example has OpenAM configured at http://openam.example.com/openam/, running an OpenID Provider in the top-level realm.

{
	"name": "openam",
	"comments": [
		"See also http://docs.forgerock.org/en/openam/11.0.0/admin-guide/#chap-openid-connect"
	]
	"wellKnownConfiguration": "http://openam.example.com:8088/openam/.well-known/openid-configuration",
	"clientId": "**************",
	"clientSecret": "**************"
}

Facebook acts as an OAuth 2.0 authorization server.

{
	"name": "facebook",
	"comments": [
		"See https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/",
		"For scopes, see https://developers.facebook.com/docs/facebook-login/permissions/"
	],
	"authorizeEndpoint": "https://www.facebook.com/dialog/oauth",
	"tokenEndpoint": "https://graph.facebook.com/oauth/access_token",
	"userInfoEndpoint": "https://graph.facebook.com/me",
	"scopes": "public_profile",
	"clientId": "**************",
	"clientSecret": "**************",
}

Google acts as an OpenID Provider.

{
	"name": "google",
	"comments": [
		"See also https://developers.google.com/accounts/docs/OAuth2Login"
	]
	"wellKnownConfiguration": "https://accounts.google.com/.well-known/openid-configuration",
	"clientId": "**************.apps.googleusercontent.com",
	"clientSecret": "**************"
}

MSN acts as an OAuth 2.0 authorization server.

{
	"name": "msn",
	"comments": [
		"See https://account.live.com/developers/applications",
		"For scopes, see http://msdn.microsoft.com/en-us/library/hh243646.aspx"
	],
	"authorizeEndpoint": "https://oauth.live.com/authorize",
	"tokenEndpoint": "https://oauth.live.com/token",
	"userInfoEndpoint": "https://apis.live.net/v5.0/me",
	"scopes": "wl.basic",
	"clientId": "**************",
	"clientSecret": "**************"
}

When you use multiple providers for an "OAuth2ClientFilter" then you also need to set a "loginHandler" in the configuration. The following login handler returns a very basic page with links to the four providers listed above.

"loginHandler": {
	"type": "StaticResponseHandler",
	"config": {
		"status": 200,
		"entity":
			"<html>
			 <p><a href='/openid/login?provider=openam&goto=${urlEncode(exchange.request.uri)}'>OpenAM Login</a></p>
			 <p><a href='/openid/login?provider=facebook&goto=${urlEncode(exchange.request.uri)}'>Facebook Login</a></p>
			 <p><a href='/openid/login?provider=google&goto=${urlEncode(exchange.request.uri)}'>Google Login</a></p>
			 <p><a href='/openid/login?provider=msn&goto=${urlEncode(exchange.request.uri)}'>MSN Login</a></p>
			 </html>"
	}
}

Please do add configurations to this page to additional providers you have used with OpenIG.

  • For OpenIG 4.0 or more, please use the new configuration model as below:

linkedIn - Issuer/ClientRegistration model configuration

{
    "name": "linkedin",
    "type": "Issuer",
    "config": {
        "authorizeEndpoint": "https://www.linkedin.com/uas/oauth2/authorization",
        "tokenEndpoint": "https://www.linkedin.com/uas/oauth2/accessToken"
    }
},
{
    "name": "linkedinPortal",
    "comment": "See https://developer.linkedin.com/docs/oauth2",
    "type": "ClientRegistration",
    "config": {
        "issuer": "linkedin",
        "clientId": "<client_id>",
        "clientSecret": "<client_secret>",
        "scopes": [
            "r_basicprofile",
            "r_emailaddress",
            "rw_company_admin",
            "w_share"
        ],
        "redirect_uris": [
            "http://localhost:8082/openid/callback" /*your redirect uris*/
        ],
        "tokenEndpointUseBasicAuth": false
    }
}

MSN - Issuer/ClientRegistration model configuration :

{
    "name": "msn",
    "type": "Issuer",
    "config": {
        "authorizeEndpoint": "https://oauth.live.com/authorize",
        "tokenEndpoint": "https://oauth.live.com/token",
        "userInfoEndpoint": "https://apis.live.net/v5.0/me"
    }
},
{
    "name": "msnPortal",
    "comment": [
        "See https://account.live.com/developers/applications",
        "For scopes, see http://msdn.microsoft.com/en-us/library/hh243646.aspx"
    ],
    "type": "ClientRegistration",
    "config": {
        "issuer": "msn",
        "clientId": "<client_id>",
        "clientSecret": "<client_secret>",
        "scopes": [
            "wl.basic",
            "wl.signin"
        ],
        "redirect_uris": [
            "http://localhost:8082/openid/callback"
        ],
        "tokenEndpointUseBasicAuth": false
    }
}

SALESFORCE - Issuer/ClientRegistration model configuration- IG >= 5

{
	"name": "SalesForceRegistration",
	"type": "ClientRegistration",
	"config": {
		"issuer": {
			"name": "salesforce",
			"type": "Issuer",
			"config": {
				"wellKnownEndpoint": "https://login.salesforce.com/.well-known/openid-configuration"
			}
		},
		"clientId": "<clientID>",
		"clientSecret": "****************",
		"scopes": [
			"openid", "id", "profile", "email", "address", "phone"
		],
		"tokenEndpointAuthMethod": "CLIENT_SECRET_POST"
	}	
}


 

When you use multiple providers for an "OAuth2ClientFilter" then you also need to set a "loginHandler" in the configuration. The following login handler returns a very basic page with links to the two providers listed above:

"loginHandler": {
	"type": "StaticResponseHandler",
	"config": {
		"status": 200,
		"entity":
			"<html>
			 <p><a href='/openid/login?clientRegistration=linkedinPortal&goto=${urlEncode(exchange.originalUri)}'>LinkedIn Login</a></p>
			 <p><a href='/openid/login?clientRegistration=msnPortal&goto=${urlEncode(exchange.originalUri)}'>MSN Login</a></p>
			 </html>"
	}
}
  • No labels

2 Comments

  1. Some providers do not support 'token endpoint use basic authentication' and if you let the default, an error occurs:

    An error occurred:  The provided request must include a 'client_id' input parameter.
                                                                   (invalid_client)

    That's the case for msn, linkedIn... 

    just disable basic auth in your config: 

    "tokenEndpointUseBasicAuth": false