OpenID Connect Support
Since Payara Server 4.1.2.183 and 5.183
The Payara API provides a @OpenIdAuthenticationDefinition annotation that creates an authorization mechanism for OpenID Connect support.
This works in the same way as other authorization mechanisms in the Java EE Security API.
Usage
The OpenID Connect authentication mechanism is defined through the @OpenIdAuthenticationDefinition annotation.
Specifying this in a valid place as defined by the Java EE Security API will create the mechanism.
Often this may mean that any class is a valid position.
Example
Here’s an example that configures a OpenID Connect client:
@OpenIdAuthenticationDefinition(
providerURI = "https://sample-openid-server.com",
clientId = "87068hgfg5675htfv6mrucov57bknst.apps.sample.com",
clientSecret = "{my-secret}",
redirectURI = "${baseURL}/callback",
extraParameters = {
"testKey=testValue",
"testKey2=testValue2"
}
)
public class SecurityBean {
}See this sample project for a more detailed example.
When defining a OpenID Connect flow within an application deployed on Payara Server, it is possible to retrieve the access token, identity token, user claims and the other authentication information within any bean in the scope of the callback/redirectURI resource used to configure the authentication:
@WebServlet("/callback")
public class CallbackServlet extends HttpServlet {
@Inject
OpenIdContext context;
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
PrintWriter out = response.getWriter();
//Here's the caller name
out.println(context.getCallerName());
//Here's the caller groups
out.println(context.getCallerGroups());
//Here's the unique subject identifier within the issuer
out.println(context.getSubject());
//Here's the access token
out.println(context.getAccessToken());
//Here's the identity token
out.println(context.getIdentityToken());
//Here's the user claims
out.println(context.getClaimsJson());
}
}Configuration
OpenID Client can be configured with both @OpenIdAuthenticationDefinition annotation attributes and Microprofile Config properties.
The annotation and mp config properties has several configuration options.
They are detailed below.
| Option | MP Config property | Required | Description | Default value | Requirements |
|---|---|---|---|---|---|
|
|
true |
The provider uri to discover the metadata of the OpenID Connect provider. |
The endpoint must be HTTPS. |
|
|
|
true |
The client identifier issued when the application was registered. |
N/A. |
|
|
|
true |
The client secret for the registered application. |
N/A. |
|
|
|
true |
The URL to redirect the user to upon successful authentication. |
${baseURL}/Callback |
Must be equal to one set in the OpenID Connect provider. |
|
|
false |
The scopes requested from the OpenID Connect provider. |
{openid, email, profile} |
N/A. |
|
|
false |
Response Type value defines the processing flow to be used. |
code |
N/A. |
|
|
false |
Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. |
N/A. |
|
|
|
false |
The prompt value specifies whether the authorization server prompts the user for re-authentication and consent. |
N/A. |
|
|
|
false |
The display value specifying how the authorization server displays the authentication and consent user interface pages. |
page |
N/A. |
|
|
false |
Enables string value used to mitigate replay attacks. |
true |
N/A. |
|
|
false |
If enabled state & nonce value stored in session otherwise in cookies. |
true |
N/A. |
|
|
false |
Sets the connect timeout(in milliseconds) for Remote JWKS retrieval. |
500 |
Value must not be negative and if value is zero then infinite timeout. |
|
|
false |
Sets the read timeout(in milliseconds) for Remote JWKS retrieval. |
500 |
Value must not be negative and if value is zero then infinite timeout. |
|
|
false |
Defines the name of callerName claim and maps the claim’s value to caller name value in IdentityStore#validate. Since Payara Server 5.184 |
preferred_username |
N/A. |
|
|
false |
Defines the name of callerGroups claim and maps the claim’s value to caller groups value in IdentityStore#validate. Since Payara Server 5.184 |
groups |
N/A. |
|
false |
An array of extra options to be sent to the OpenID Connect provider. |
Must be in the form |
Note : If both annotation attribute and mp config property defined for same option
then Microprofile Config property value always take precedence over @OpenIdAuthenticationDefinition annotation value.
Expression Language Support
Additionally, the @OpenIdAuthenticationDefinition supports the use of expression language (EL) notation for dynamic configuration scenarios.
This means that you can use any CDI bean properties to set the OpenID Connect configuration like this:
@OpenIdAuthenticationDefinition(
providerURI="#{openidConfigBean.tokenEndpointURL}",
clientId="#{openidConfigBean.clientId}",
clientSecret="#{openidConfigBean.clientSecret}",
redirectURI="#{openidConfigBean.redirectURI}"
)
public class SecurityBean {
}Extra Resources
To read more about OpenID Connect itself, visit http://openid.net/specs/openid-connect-core-1_0.html