Fork me on GitHub

OpenID Connect / Clients (v6.5)

See also:

  ▸ Advanced configuration settings

  ▸ OIDC federation support

The following OIDC clients can be configured:

1) Indirect clients

For any OpenID Connect identity provider, you should use the generic OidcClient (or one of its subclasses). It is an indirect client for web browser based authentication. The configuration is defined via the OidcConfiguration component.

Example:

OidcConfiguration config = new OidcConfiguration();
config.setClientId("788339d7-1c44-4732-97c9-134cb201f01f");
config.setSecret("we/31zi+JYa7zOugO4TbSw0hzn+hv2wmENO9AS3T84s=");
config.setDiscoveryURI("https://login.microsoftonline.com/38c4650d-3ca06fd1a330/.well-known/openid-configuration");
OidcClient oidcClient = new OidcClient(c);

In some cases (when the discovery url is already known for example), you can use a specific client like for Google, Azure Active Directory, Keycloak or Apple.

Example:

String tenant = "38c46e5a-21f0-46e5-940d-3ca06fd1a330";
AzureAd2OidcConfiguration configuration = new AzureAd2OidcConfiguration(tenant);
configuration.setClientId("788339d7-1c44-4732-97c9-134cb201f01f");
configuration.setSecret("we/31zi+JYa7zOugO4TbSw0hzn+hv2wmENO9AS3T84s=");
AzureAd2Client client = new AzureAd2Client(configuration);

The clientId and secret will be provided by the OpenID Connect provider, as well as the discoveryUri (to read the metadata of the identity provider). If you do not define the discoveryUri, you’ll need to provide the provider metadata by using the StaticOidcOpMetadataResolver component.

An OidcProfile is returned after a successful authentication (or one of its subclasses: AzureAdProfile, GoogleOidcProfile or KeycloakOidcProfile). All the attributes returned in the ID Token will be available in the OidcProfile even if you can get the ID token directly via the getIdToken() method.

You can define the flow you want to use via the setResponseType and setResponseMode methods:

// implicit flow
config.setResponseType("id_token");
config.setResponseMode("form_post");

By default, the response_type is set to code (the authorization code flow) and the response_mode is empty.

You can define the scope to use with the setScope method:

config.setScope("openid email profile phone");

You can request to use the nonce parameter to reinforce security via:

config.setUseNonce(true);

2) Direct clients

For direct clients (web services), you can get the access token from any OpenID Connect identity provider and use that in your request to get the user profile.

For that, the HeaderClient would be appropriate, along with the oidcClient.getProfileCreator().

Example:

OidcConfiguration config = new OidcConfiguration();
config.setClientId(clientId);
config.setSecret(secret);
config.setDiscoveryURI(discoveryUri);
OidcClient oidcClient = new OidcClient(config);
oidcClient.setCallbackUrl("notused");
oidcClient.init();
HeaderClient client = new HeaderClient("Authorization", "Bearer ", oidcClient.getProfileCreator());

The request to the server should have an Authorization header with the value as Bearer {access token}.