You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Introduction

OpenId Connect (OIDC) is an identity layer built on top of the OAuth2 protocol.

CXF ships OIDC Provider (IDP) and Relying Party (RP) utility code to make it easy for developers to create their own custom OIDC providers or have JAX-RS applications integrated with well-known 3rd party OIDC IDPs.

This code relies heavily on CXF OAuth2 and CXF JOSE modules.

 

Maven Dependencies

CXF OIDC module
<dependency>
    <groupId>org.apache.cxf</groupId>
    <artifactId>cxf-rt-rs-security-sso-oidc</artifactId>
    <version>3.1.7</version>
</dependency>

IdToken and UserInfo

IdToken is a primary extension that OIDC makes to OAuth2. It provides a collection of claims describing the authenticated user. IdToken a secured JWT token which is JWS-signed and/or JWE-encrypted by OIDC IDP.

CXF provides  org.apache.cxf.rs.security.oidc.common.IdToken.  This token can be processed and protected by CXF OIDC services and validated by the RP code as described below.

IdToken can provide enough information for the client application to work with the current user. However, the client can get more information about the user from OIDC UserInfo endpoint.

CXF provides  org.apache.cxf.rs.security.oidc.common.UserInfo. It can be returned from CXF OIDC UserInfo service and validated by the RP code as described below.

OIDC IDP support

Overview

When the user authentication is required the client application initiates one of OIDC Core flows and redirects this user to OIDC provider. The user gets redirected back to the client after the authentication, with the client application receiving IdToken. If Authorization Code Flow is used then IdToken is returned as part of the follow up code to access token exchange, and if Implicit Flow is used then IdToken is returned immediately.  It is very much like OAuth2 except that an extra IdToken parameter is returned.

 

Fediz OIDC

Fediz OIDC provides a reference integration between CXF OIDC IDP code and its authentication system. It has OIDC Core supported with a minimum amount of code and configuration.

OIDC RP support

Overview

Demos

BigQuery demo service is OAuth2 client which relies on CXF OIDC RP code to support interacting with the user, redirecting the user to Google to authenticate, and validating IdToken returned from Google AccessTokenService alongside a new access token (OIDC Authorization Code Flow). The demo service uses IdToken to address the user correctly and the access token to access the user's resources as authorized by the user.

BasicOidc demo service is not an OAuth2 client, but a basic JAX-RS server. This server works with an HTTP Browser client which uses Google script libraries to get IdToken from Google OIDC Authorization endpoint (OIDC Implicit flow). This browser client interacts with CXF OIDC RP code to get IdToken validated and then posts this token to the demo service. Demo service depends on CXF OIDC RP to have this IdToken easily accessible in its code

 

 

  • No labels