Configuring Google ID integration with Liberty

You can validate the opendID Connect (OIDC)-based authentication during log in, log out, or time out. To use Google ID to manage user IDs and passwords, configure the Google ID as an identity provider.

1. Configure following entries in the server.xml.

   <openidConnectClient id="google" 
   clientId="yourclientid" clientSecret="yourclientsecret"  
   discoveryEndpointUrl= 
   "your_google_discovery_url"
   scope="openid"
   httpsRequired="true" signatureAlgorithm="RS256" 
   authFilterRef="myAuthFilter"  
   />
   <authFilter id="myAuthFilter">
   <requestUrl id="bypass1" 
   urlPattern="/restapi|/heartbeat|/MQConnVerifierServlet|/restapi_internal
   |/servlets/scwcsoapservlet|/wms/error|/console/ibmid|/interop/
   InteropHttpServlet" matchType="notContain" />
   Confidential, For INTERNAL use only
   <requestUrl id="myURL" urlPattern="/sbc|/isccs|/wsc|/sfs|/sma|/smcfs|/isf"
   matchType="contains" />
   </authFilter>
   <application context-root="smcfs" type="ear" id="smcfs" name="smcfs" location=" your location ">
               <application-bnd>
                   <security-role name="All Role">
                       <special-subject type="ALL_AUTHENTICATED_USERS" />
                   </security-role>
   				<security-role name="ExcludeAuth">
                       <special-subject type="EVERYONE" />
                   </security-role>
               </application-bnd>
   </application>
   <applicationMonitor dropinsEnabled="false" />

   Replace the placeholder values yourclientid, yourclientsecret, and your_google_discovery_url with actual values.

   The following is a sample server.xml with the given values configured.

   Note: This is a sample file and no support is provided for the following configuration.

   
   <server description="Default server">
       <!-- Enable features -->
       <featureManager>
           <feature>adminCenter-1.0</feature>
           <feature>jdbc-4.1</feature>
           <feature>jndi-1.0</feature>
           <feature>jsp-2.3</feature>
           <feature>servlet-3.1</feature>
           <feature>ssl-1.0</feature>
           <feature>appSecurity-2.0</feature>
           <feature>openidConnectClient-1.0</feature>
       </featureManager>
   
   <httpDispatcher enableWelcomePage="false" />
   <httpSession invalidateOnUnauthorizedSessionRequestException="true" />
   <webContainer trustHostHeaderPort="true" extractHostHeaderPort="true"/>
   <webContainer disableXPoweredBy="true"/>
   <httpOptions removeServerHeader="true"/>
   
   <httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" 
   httpsPort="9443">
   <httpOptions removeServerHeader="true" />
   </httpEndpoint>
   
   <sslDefault sslRef="defaultSSLSettings" />
       <ssl id="defaultSSLSettings" sslProtocol="TLSv1.2" 
   keyStoreRef="defaultKeyStore" 
   clientAuthenticationSupported="true" />
       <keyStore id="defaultKeyStore" location="##########" 
   type="JKS" password="##########" />
    
   <openidConnectClient id="google" 
   clientId="###############" clientSecret="###############"  
   discoveryEndpointUrl= "#########"
   scope="openid"
   httpsRequired="true" signatureAlgorithm="RS256" 
   authFilterRef="myAuthFilter"  
   />
    <authFilter id="myAuthFilter">
   <requestUrl id="bypass1" 
   urlPattern="/restapi|/heartbeat|/MQConnVerifierServlet|/restapi_internal|/
   servlets/scwcsoapservlet|/wms/error|/console/ibmid|/interop/
   InteropHttpServlet" matchType="notContain" />
   <requestUrl id="myURL" urlPattern="/sbc|/isccs|/wsc|/sfs|/sma|/smcfs|/isf"
   matchType="contains" />
   </authFilter>
   <application context-root="smcfs" type="ear" id="smcfs" name="smcfs" 
   location="################# ">
               <application-bnd>
                   <security-role name="All Role">
                       <special-subject type="ALL_AUTHENTICATED_USERS" />
                   </security-role>
                   <security-role name="ExcludeAuth">
                       <special-subject type="EVERYONE" />
                   </security-role>
               </application-bnd>
   </application>
   <applicationMonitor dropinsEnabled="false" />
   </server>

2. Download the root CA cert for Google ID from the Google ID discovery URL and import it to the keystore that is used by Liberty.
3. Add the following property to sandbox properties in <Runtime>/properties/sandbox.cfg.

   ENABLE_IBMID_AUTHENTICATION=true

4. Apply the sandbox configuration changes by running the following command:

   <runtime>/bin/setupfiles.sh

5. Add the following property to customer overrides:

   yfs.yfs.ibmid.provisioner.name=google

6. Add the URL https://localhost:9443/oidcclient/redirect/google to the list of sign-in redirect URLs in the Google ID configuration. This URL is an example when accessing the application from localhost. For production environment, change it to https://<domain or ip:port>/oidcclient/redirect/google to match your production domain or ip:port. For more information, see Google ID documentation.
7. Rebuild EAR and redeploy.
8. To verify if the property is in effect, check the web.xml for smcfs.war. It should have the security constraints entries created which are in relation to the security Roles in server.xml.