OpenID Connect Authentication

[lachlan-roberts]

Allow webapps to authenticate users using the OpenId Connect (OIDC) protocol based on OAuth 2.0. This can be done with any OpenId Provider supporting OIDC. For example by using googles OIDC service you can authenticate with your webapp using your google account.

I have tested authentication with Google, Microsoft and Yahoo so far.

See #137

[lachlan-roberts]

OpenID Configuration

To configure OpenID Authentication with Jetty you need to specify the OpenID Provider, Client ID and Client Secret. These can be set as properties in the start.ini or start.d/openid.ini files.

OpenID Provider

The OpenID Provider must be an OAuth 2.0 Authentication Server which implements OpenID Connect. To use the jetty-openid module you must input the URL for the OpenID Provider you wish to use.

Examples:

• https://accounts.google.com/
• https://login.microsoftonline.com/common/v2.0
• https://login.yahoo.com

Registering App with OpenID Provider

You must register an app with the OpenID provider which will give you a Client ID and Client Secret. Once set up you must also register all the possible URI's for your webapp with the path /j_security_check so that the OpenId provider will allow redirection back to the webapp.

for example these may look like

• http://localhost:8080/openid-webapp/j_security_check
• https://mywebsite.com/j_security_check

WebApp Specific Configuration

The webapp should be deployed with a jetty deployable descriptor XML file to configure the security handler with the error page and OpenIdAuthenticatorFactory.

The security handler should be given an init param for "org.eclipse.jetty.security.openid.error_page" with a path relative to the webapp where authentication errors should be redirected.

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Set name="contextPath">/myapp</Set>
    <Set name="war"><SystemProperty name="myapp.home"/>/myapp.war</Set>
    <Get name="securityHandler">
        <Call name="setInitParameter">
            <Arg>org.eclipse.jetty.security.openid.error_page</Arg>
            <Arg>/error</Arg>
        </Call>
        <Set name="authenticatorFactory">
            <New class="org.eclipse.jetty.security.openid.OpenIdAuthenticatorFactory"/>
        </Set>
    </Get>
</Configure>

Claims

Claims provide the application with details about the user, such as sub (unique id), name and email.

Once a user has been authenticated you can retrieve these claims can be accessed via a Session attribute.

Map<String, Object> userInfo = (Map)request.getSession().getAttribute("org.eclipse.jetty.security.openid.user_claims"); 

Scopes

Scopes can be used to request additional resources it needs about the user such as additional user claims.

For the Google OpenID Provider it can be useful to request the scopes profile and email which can give you additional user claims such as email, email_verified and picture.

web.xml

To use OpenID authentication the web.xml file must have the login-config element with an auth method value of OPENID.

The realm name must be set to the exact URL string used to set the OpenID Provider.

Example:

<login-config>
  <auth-method>OPENID</auth-method>
  <realm-name>https://accounts.google.com/</realm-name>
</login-config>

[lachlan-roberts]

@WalkerWatch can you help with the documentation for this

[sbordet]

Is this some fake ID or a real one? You don't want to put here a real ID!

[lachlan-roberts]

These were real for my testing app, but I will change to fake ones.
The client secret can be reset easily so didn't think it was a big deal if it was real while testing.

[gregw]

... and now that a real one has been published, you will need to revoke that from your account, otherwise anybody can start using your account for auth! Low risk I know, but good practise to always cancel any credentials that have been published accidentally.

[lachlan-roberts]

Client secrets have been reset.
Except for on Yahoo because the site is so bugged I cannot reset the secret, delete the app, or contact support without errors.

[sbordet]

Fake or real?

[lachlan-roberts]

changed to fake

[sbordet]

Get rid of the __ in front of public constants.
Why are these public?

[lachlan-roberts]

I have removed the __ parts.
This was based off the FormAuthenticator where all the constants are prefixed with __ and are public.

[sbordet]

What's this URL to a old issue tracking system? Remove it.

[sbordet]

Too many empty lines!

[sbordet]

You are leaking the connection open.

[lachlan-roberts]

I have changed the InputStream to be used with a try.
Or do I need to explicitly call connection.disconnect()?

[sbordet]

No point in making this class Serializable when its only field _credentials is not serializable.

[lachlan-roberts]

Removed the Serializable.

[gregw]

So how is this auth going to work in a cluster? If we have a non sticky load balancer, we need the authentication to move with the session - hence it needs to be serializable.

[lachlan-roberts]

I made OpenIdUserPrincipal, OpenIdCredentials and OpenIdConfiguration all Serializable. So now the SessionAuthentication used will allow the authentication to move with the session in a clustered environment.

[gregw]

I think we need to consider the clustered behaviour of this. @janbartel can you assist.

[lachlan-roberts]

@sbordet can I get a re-review