configure social login as OpenID Connect client for sample 4-finish

4-finish/pom.xml

@@ -42,14 +42,8 @@
     </dependency>
     <dependency>
       <groupId>com.ibm.websphere.appserver.api</groupId>
-      <artifactId>com.ibm.websphere.appserver.api.oidc</artifactId>
-      <version>1.0.39</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>com.ibm.websphere.appserver.api</groupId>
-      <artifactId>com.ibm.websphere.appserver.api.oauth</artifactId>
-      <version>1.2.39</version>
+      <artifactId>com.ibm.websphere.appserver.api.social</artifactId>
+      <version>1.0.42</version>
       <scope>provided</scope>
     </dependency>
     <dependency>

4-finish/src/main/java/cafe/web/view/CafeJwtUtil.java

@@ -1,55 +1,31 @@
 package cafe.web.view;
 
 import java.io.Serializable;
-import java.lang.invoke.MethodHandles;
-import java.util.Collections;
 import java.util.List;
-import java.util.logging.Logger;
-
 import javax.enterprise.context.SessionScoped;
 import javax.inject.Inject;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
-import com.ibm.websphere.security.jwt.Claims;
-import com.ibm.websphere.security.jwt.InvalidBuilderException;
-import com.ibm.websphere.security.jwt.InvalidClaimException;
-import com.ibm.websphere.security.jwt.JwtBuilder;
-import com.ibm.websphere.security.jwt.JwtException;
-import com.ibm.websphere.security.openidconnect.PropagationHelper;
-import com.ibm.websphere.security.openidconnect.token.IdToken;
+import com.ibm.websphere.security.social.UserProfileManager;
 
 @SessionScoped
 public class CafeJwtUtil implements Serializable {
 
     private static final long serialVersionUID = 1L;
-    private static final Logger logger = Logger.getLogger(MethodHandles.lookup().lookupClass().getName());
-    private String jwtTokenString;
-    private List<String> groups;
 
     @Inject
     @ConfigProperty(name = "admin.group.id")
     private String ADMIN_GROUP_ID;
 
-    @SuppressWarnings("unchecked")
-    public CafeJwtUtil() {
-        try {
-            IdToken idToken = PropagationHelper.getIdToken();
-            groups = idToken.getClaim("groups") != null ? (List<String>) idToken.getClaim("groups")
-                    : Collections.emptyList();
-
-            jwtTokenString = JwtBuilder.create("jwtAuthUserBuilder").claim(Claims.SUBJECT, "javaee-cafe-rest-endpoints")
-                    .claim("upn", idToken.getClaim("preferred_username")).claim("groups", groups).buildJwt().compact();
-        } catch (JwtException | InvalidBuilderException | InvalidClaimException e) {
-            logger.severe("Creating JWT token failed.");
-            e.printStackTrace();
-        }
-    }
-
     public String getJwtToken() {
-        return jwtTokenString;
+        return UserProfileManager.getUserProfile().getIdToken().compact();
     }
 
     public boolean isUserInAdminGroup() {
-        return groups.contains(ADMIN_GROUP_ID);
+        @SuppressWarnings("unchecked")
+        List<String> groups = UserProfileManager.getUserProfile().getIdToken().getClaims().getClaim("groups",
+                List.class);
+
+        return groups != null && groups.contains(ADMIN_GROUP_ID);
     }
 }

4-finish/src/main/liberty/config/server.xml

@@ -8,7 +8,7 @@
         <feature>jaxrs-2.1</feature>
         <feature>ejbLite-3.2</feature>
         <feature>jpa-2.2</feature>
-        <feature>openidConnectClient-1.0</feature>
+        <feature>socialLogin-1.0</feature>
         <feature>transportSecurity-1.0</feature>
         <feature>appSecurity-3.0</feature>
         <feature>jwt-1.0</feature>
@@ -38,22 +38,20 @@
     <ssl id="defaultSSLConfig"  trustDefaultCerts="true" />
 
     <!-- Add your tenant id, client ID and secret from AAD -->
-    <openidConnectClient
+    <oidcLogin
         id="liberty-aad-oidc-javaeecafe" clientId="${client.id}"
         clientSecret="${client.secret}"
-        discoveryEndpointUrl="https://login.microsoftonline.com/${tenant.id}/v2.0/.well-known/openid-configuration"
+        discoveryEndpoint="https://login.microsoftonline.com/${tenant.id}/v2.0/.well-known/openid-configuration"
         signatureAlgorithm="RS256"
-        userIdentityToCreateSubject="preferred_username"
-        inboundPropagation="supported" />
-
-    <!-- JWT builder -->
-    <jwtBuilder id="jwtAuthUserBuilder" keyStoreRef="defaultKeyStore" 
-        keyAlias="${key.alias}" issuer="https://example.com" expiresInSeconds="600" />
-    <variable name="key.alias" defaultValue="default"/>
+        userNameAttribute="preferred_username" />
 
     <!-- JWT consumer -->
-    <mpJwt id="jwtUserConsumer" jwksUri="https://localhost:9443/jwt/ibm/api/jwtAuthUserBuilder/jwk" 
-        issuer="https://example.com" authFilterRef="mpJwtAuthFilter" />
+    <mpJwt id="jwtUserConsumer" 
+        jwksUri="https://login.microsoftonline.com/${tenant.id}/discovery/v2.0/keys" 
+        issuer="https://login.microsoftonline.com/${tenant.id}/v2.0"
+        audiences="${client.id}"
+        userNameAttribute="preferred_username" 
+        authFilterRef="mpJwtAuthFilter" />
 
     <!-- JWT auth filter -->
     <authFilter id="mpJwtAuthFilter">

guides/howto-integrate-aad-oidc.md

@@ -172,7 +172,7 @@ oc get route
 
 Once the Open Liberty Application is up and running, copy **HOST/PORT** of the route from console output.
 
-1. Open your **Azure AD** > **App registrations** > your **registered application** > **Authentication** > Click **Add URI** in **Redirect URIs** section > Input ***https://<copied_HOST/PORT_value>/oidcclient/redirect/liberty-aad-oidc-javaeecafe*** > Click **Save**.
+1. Open your **Azure AD** > **App registrations** > your **registered application** > **Authentication** > Click **Add URI** in **Redirect URIs** section > Input ***https://<copied_HOST/PORT_value>/ibm/api/social-login/redirect/liberty-aad-oidc-javaeecafe*** > Click **Save**.
 2. Open ***https://<copied_HOST/PORT_value>*** in your browser to visit the application home page.
 
 ## Next steps

guides/howto-integrate-all.md

@@ -31,17 +31,17 @@ The application `<path-to-repo>/2-simple` used in the previous [basic guide](how
 
 | File Name             | Source Path                     | Destination Path              | Operation  | Description           |
 |-----------------------|---------------------------------|-------------------------------|------------|-----------------------|  
-| `server.xml` | [`<path-to-repo>/2-simple/src/main/liberty/config/server.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/src/main/liberty/config/server.xml) | [`<path-to-repo>/4-finish/src/main/liberty/config/server.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/liberty/config/server.xml) | Updated | Add `openidConnectClient-1.0`, `transportSecurity-1.0`, `appSecurity-3.0`, `jwt-1.0`, `mpJwt-1.1`, `mpConfig-1.3`, `jpa-2.2` features and their configurations. |
+| `server.xml` | [`<path-to-repo>/2-simple/src/main/liberty/config/server.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/src/main/liberty/config/server.xml) | [`<path-to-repo>/4-finish/src/main/liberty/config/server.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/liberty/config/server.xml) | Updated | Add `socialLogin-1.0`, `transportSecurity-1.0`, `appSecurity-3.0`, `jwt-1.0`, `mpJwt-1.1`, `mpConfig-1.3`, `jpa-2.2` features and their configurations. |
 | `web.xml` | [`<path-to-repo>/2-simple/src/main/webapp/WEB-INF/web.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/src/main/webapp/WEB-INF/web.xml) | [`<path-to-repo>/4-finish/src/main/webapp/WEB-INF/web.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/webapp/WEB-INF/web.xml) | Updated | Add `security-role` and `security-constraint` for accessing web resources of the application. |
-| `CafeJwtUtil.java` | | [`<path-to-repo>/4-finish/src/main/java/cafe/web/view/CafeJwtUtil.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/java/cafe/web/view/CafeJwtUtil.java) | New | The utility class for building JWT token using `preferred_username` and `groups` claims of ID token issued from Azure AD, and providing an API to determine if the logged-on user is in the configured **admin group** of Azure AD. |
+| `CafeJwtUtil.java` | | [`<path-to-repo>/4-finish/src/main/java/cafe/web/view/CafeJwtUtil.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/java/cafe/web/view/CafeJwtUtil.java) | New | The utility class for retrieving ID token issued from Azure AD, and providing an API to determine if the logged-on user is in the configured **admin group** of Azure AD. |
 | `CafeRequestFilter.java` | | [`<path-to-repo>/4-finish/src/main/java/cafe/web/view/CafeRequestFilter.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/java/cafe/web/view/CafeRequestFilter.java) | New | A client request filter for adding JWT token in **HTTP Authorization Header** for outbound requests. |
 | `Cafe.java` | [`<path-to-repo>/2-simple/src/mainjava/cafe/web/view/Cafe.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/src/main/java/cafe/web/view/Cafe.java) | [`<path-to-repo>/4-finish/src/main/java/cafe/web/view/Cafe.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/java/cafe/web/view/Cafe.java) | Updated | Register `CafeRequestFilter` for intercepting internal REST calls, add new APIs to get principal name of logged-on user and flag indicating whether the logged-on user can delete existing coffees or not. |
 | `CafeResource.java` | [`<path-to-repo>/2-simple/src/main/java/cafe/web/rest/CafeResource.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/src/main/java/cafe/web/rest/CafeResource.java) | [`<path-to-repo>/4-finish/src/main/java/cafe/web/rest/CafeResource.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/java/cafe/web/rest/CafeResource.java) | Updated | Inject `JsonWebToken` to verify the **groups claim** of the token for RBAC. |
 | `Coffee.java` | [`<path-to-repo>/2-simple/src/main/java/cafe/model/entity/Coffee.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/src/main/java/cafe/model/entity/Coffee.java) | [`<path-to-repo>/4-finish/src/main/java/cafe/model/entity/Coffee.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/java/cafe/model/entity/Coffee.java) | Updated | Annotate POJO `Coffee` with `javax.persistence.Entity` annotation to make it a JPA Entity. |
 | `CafeRepository.java` | [`<path-to-repo>/2-simple/src/main/java/cafe/model/CafeRepository.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/src/main/java/cafe/model/CafeRepository.java) | [`<path-to-repo>/4-finish/src/main/java/cafe/model/CafeRepository.java`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/java/cafe/model/CafeRepository.java) | Updated | Changed to be a Stateless Bean, `CafeRepository` implements create, read, update, and delete coffees using `javax.persistence.EntityManager` and `javax.persistence.PersistenceContext` APIs. |
 | `persistence.xml` | | [`<path-to-repo>/4-finish/src/main/resources/META-INF/persistence.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/resources/META-INF/persistence.xml) | New | A new configuration file to configure data persistence schema. |
 | `index.xhtml` | [`<path-to-repo>/2-simple/src/main/webapp/index.xhtml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/src/main/webapp/index.xhtml) | [`<path-to-repo>/4-finish/src/main/webapp/index.xhtml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/src/main/webapp/index.xhtml) | Updated | Disable coffee delete button if the logged-on user is not authorized. |
-| `pom.xml` | [`<path-to-repo>/2-simple/pom.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/pom.xml) | [`<path-to-repo>/4-finish/pom.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/pom.xml) | Updated | Add new properties and dependencies for OpenID Connect and database connection, and add new dependency for **Eclipse MicroProfile** and **postgresql** JDBC driver. |
+| `pom.xml` | [`<path-to-repo>/2-simple/pom.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/2-simple/pom.xml) | [`<path-to-repo>/4-finish/pom.xml`](https://github.com/Azure-Samples/open-liberty-on-aro/blob/master/4-finish/pom.xml) | Updated | Add new properties and dependencies for Social Login and database connection, and add new dependency for **Eclipse MicroProfile** and **postgresql** JDBC driver. |
 
 For reference, these changes have already been applied in `<path-to-repo>/4-finish` of your local clone.
 
@@ -160,7 +160,7 @@ oc get route
 
 Once the Open Liberty Application is up and running, copy **HOST/PORT** of the route from console output.
 
-1. Open your **Azure AD** > **App registrations** > your **registered application** > **Authentication** > Click **Add URI** in **Redirect URIs** section > Input ***https://<copied_HOST/PORT_value>/oidcclient/redirect/liberty-aad-oidc-javaeecafe*** > Click **Save**.
+1. Open your **Azure AD** > **App registrations** > your **registered application** > **Authentication** > Click **Add URI** in **Redirect URIs** section > Input ***https://<copied_HOST/PORT_value>/ibm/api/social-login/redirect/liberty-aad-oidc-javaeecafe*** > Click **Save**.
 2. Open ***https://<copied_HOST/PORT_value>*** in the **InPrivate** window of **Microsoft Edge**, verify the application is secured by Azure AD OpenID Connect and connected to Azure Database for PostgreSQL server.
 
    1. Sign in as a user, who doesn't belong to the admin group you created before.