Skip to content

Commit

Permalink
configure social login as OpenID Connect client
Browse files Browse the repository at this point in the history
  • Loading branch information
@majguo
majguo committed Jul 29, 2020
1 parent dcae745 commit 9fc6d49
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 51 deletions.
10 changes: 2 additions & 8 deletions 3-integration/aad-oidc/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,8 @@
</dependency>
<dependency>
<groupId>com.ibm.websphere.appserver.api</groupId>
<artifactId>com.ibm.websphere.appserver.api.oidc</artifactId>
<version>1.0.39</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.ibm.websphere.appserver.api</groupId>
<artifactId>com.ibm.websphere.appserver.api.oauth</artifactId>
<version>1.2.39</version>
<artifactId>com.ibm.websphere.appserver.api.social</artifactId>
<version>1.0.42</version>
<scope>provided</scope>
</dependency>
<dependency>
Expand Down
38 changes: 7 additions & 31 deletions 3-integration/aad-oidc/src/main/java/cafe/web/view/CafeJwtUtil.java
View file
Original file line number Diff line number Diff line change
@@ -1,55 +1,31 @@
package cafe.web.view;

import java.io.Serializable;
import java.lang.invoke.MethodHandles;
import java.util.Collections;
import java.util.List;
import java.util.logging.Logger;

import javax.enterprise.context.SessionScoped;
import javax.inject.Inject;
import org.eclipse.microprofile.config.inject.ConfigProperty;

import com.ibm.websphere.security.jwt.Claims;
import com.ibm.websphere.security.jwt.InvalidBuilderException;
import com.ibm.websphere.security.jwt.InvalidClaimException;
import com.ibm.websphere.security.jwt.JwtBuilder;
import com.ibm.websphere.security.jwt.JwtException;
import com.ibm.websphere.security.openidconnect.PropagationHelper;
import com.ibm.websphere.security.openidconnect.token.IdToken;
import com.ibm.websphere.security.social.UserProfileManager;

@SessionScoped
public class CafeJwtUtil implements Serializable {

private static final long serialVersionUID = 1L;
private static final Logger logger = Logger.getLogger(MethodHandles.lookup().lookupClass().getName());
private String jwtTokenString;
private List<String> groups;

@Inject
@ConfigProperty(name = "admin.group.id")
private String ADMIN_GROUP_ID;

@SuppressWarnings("unchecked")
public CafeJwtUtil() {
try {
IdToken idToken = PropagationHelper.getIdToken();
groups = idToken.getClaim("groups") != null ? (List<String>) idToken.getClaim("groups")
: Collections.emptyList();

jwtTokenString = JwtBuilder.create("jwtAuthUserBuilder").claim(Claims.SUBJECT, "javaee-cafe-rest-endpoints")
.claim("upn", idToken.getClaim("preferred_username")).claim("groups", groups).buildJwt().compact();
} catch (JwtException | InvalidBuilderException | InvalidClaimException e) {
logger.severe("Creating JWT token failed.");
e.printStackTrace();
}
}

public String getJwtToken() {
return jwtTokenString;
return UserProfileManager.getUserProfile().getIdToken().compact();
}

public boolean isUserInAdminGroup() {
return groups.contains(ADMIN_GROUP_ID);
@SuppressWarnings("unchecked")
List<String> groups = UserProfileManager.getUserProfile().getIdToken().getClaims().getClaim("groups",
List.class);

return groups != null && groups.contains(ADMIN_GROUP_ID);
}
}
22 changes: 10 additions & 12 deletions 3-integration/aad-oidc/src/main/liberty/config/server.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<feature>jsf-2.3</feature>
<feature>jaxrs-2.1</feature>
<feature>ejbLite-3.2</feature>
<feature>openidConnectClient-1.0</feature>
<feature>socialLogin-1.0</feature>
<feature>transportSecurity-1.0</feature>
<feature>appSecurity-3.0</feature>
<feature>jwt-1.0</feature>
Expand Down Expand Up @@ -37,22 +37,20 @@
<ssl id="defaultSSLConfig" trustDefaultCerts="true" />

<!-- Add your tenant id, client ID and secret from AAD -->
<openidConnectClient
<oidcLogin
id="liberty-aad-oidc-javaeecafe" clientId="${client.id}"
clientSecret="${client.secret}"
discoveryEndpointUrl="https://login.microsoftonline.com/${tenant.id}/v2.0/.well-known/openid-configuration"
discoveryEndpoint="https://login.microsoftonline.com/${tenant.id}/v2.0/.well-known/openid-configuration"
signatureAlgorithm="RS256"
userIdentityToCreateSubject="preferred_username"
inboundPropagation="supported" />

<!-- JWT builder -->
<jwtBuilder id="jwtAuthUserBuilder" keyStoreRef="defaultKeyStore"
keyAlias="${key.alias}" issuer="https://example.com" expiresInSeconds="600" />
<variable name="key.alias" defaultValue="default"/>
userNameAttribute="preferred_username" />

<!-- JWT consumer -->
<mpJwt id="jwtUserConsumer" jwksUri="https://localhost:9443/jwt/ibm/api/jwtAuthUserBuilder/jwk"
issuer="https://example.com" authFilterRef="mpJwtAuthFilter" />
<mpJwt id="jwtUserConsumer"
jwksUri="https://login.microsoftonline.com/${tenant.id}/discovery/v2.0/keys"
issuer="https://login.microsoftonline.com/${tenant.id}/v2.0"
audiences="${client.id}"
userNameAttribute="preferred_username"
authFilterRef="mpJwtAuthFilter" />

<!-- JWT auth filter -->
<authFilter id="mpJwtAuthFilter">
Expand Down

0 comments on commit 9fc6d49

Please sign in to comment.