Video: OpenID Connect on Liberty

The following transcript is for the OpenID Connect on Liberty video, which demonstrates how to configure OpenID Connect on Liberty. This transcript is the video storyboard. Audio describes narration and captions. Onscreen Action describes the content that is shown in the video.

Video OpenID Connect on Liberty

Table 1. Title page. Show title and then a basic OpenID Connect scenario, along with supported OpenID providers and benefits of using OpenID Connect.
Scene Audio Onscreen Action
1 This video will show you how to set up a simple OpenID Connect web single-sign-on scenario using WebSphere® Application Server Liberty. Show title OpenID Connect Quick Setup.
2 Here you can see a basic "OpenID Connect" flow. When a user first attempts to access an OpenID Connect-protected web application, or relying party, the user is redirected to an OpenID Connect provider. The OpenID Connect provider authenticates the user and obtains the user's authorization, then responds with an authorization code. The application container then extracts the code from the response, sends the code back to the OpenID provider for verification, and receives ID and access tokens. As a result, the user is authenticated to access the protected web application. Using the access token, the application can request user information, such as an email address, from the OpenID Connect provider, or it can access any service that supports OpenID Connect. In this video, I will refer to the application as the Relying Party or RP and the OpenID Provider as OP.

Let's take a look at the several supported OpenID providers.

 Show a basic OpenID Connect scenario, that includes a Relying Party (RP), OpenID Provider (OP), and an End-User.
3 You can configure IBM® WebSphere Liberty either as an OpenID provider or a relying party. You can use IBM Security Access Manager, also known as ISAM, as an OP as well. Alternatively, you can use a number of supported third-party OpenID providers. Show some of the supported OpenID providers.
  • IBM WebSphere
  • IBM Security Access Manager
  • Amazon
  • Microsoft
  • Okta
  • Google
4 OpenID Connect offers a number of benefits as an identity layer on top of OAUTH 2.0. With OpenID Connect, users have a single internet identity that they can use to authenticate across several servers, services, and applications, and it reduces the amount of maintenance work in applications because they no longer need their own user registry.

For developers, it simplifies the task of authenticating users without taking on the responsibility of storing and managing passwords. OpenID Connect can also extend security services to cloud-based and mobile applications written in any language, such as JavaScript, Ruby, node.js, or Java™, and it can function as a single security manager for provisioning hundreds of Liberty servers in a cloud environment. Because OpenID Connect combines the advantages of identity, authentication, and OAuth, OpenID Connect is a significant improvement over OAuth alone.

 Show some of the benefits of using OpenID Connect.
  • OpenID Connect makes it easier for a user to use a single internet identity (user account), to authenticate across several servers, services, and applications.
  • Applications no longer need to maintain their own user registry.
  • OpenID Connect extends security services to cloud and mobile applications, accessible through languages such as JavaScript, Ruby, node.js, Java
  • Provisioning hundreds of Liberty servers in a cloud offers the ability to have a single security manager
  • OpenID Connect is a significant improvement over OAUTH 2.0
Table 2. Demo configuring the OpenID Provider
Scene Audio Onscreen Action
5 WebSphere Application Server Liberty can be configured as the OpenID provider, the relying party, or both. If you want to use Liberty as both an OP and RP, you must configure them on different Liberty server instances. We will set up Liberty servers as OP and RP and take a look at a simple web single-sign-on scenario between the Liberty OP and RP. Show title Setting up Liberty as OpenID Connect provider and relying party.
6 First, we will set up an OpenID provider.

To do so, we will install WebSphere Liberty 8554 or later, which is required to use the OpenID Connect features. Install the OpenID Server feature

Create a Liberty server and add an OP configuration to the server.xml file, which is available as a downloadable sample from IBM developerWorks®.

 Show OP setup overview.
  1. Install WebSphere Liberty 8.5.5.4 or later> java -jar wlp-developers-runtime-8.5.5.4.jar
  2. Install OpenID Server feature (No download necessary) > bin/featureManager install openidConnectServer-1.0 --when-file-exists=ignore
  3. Create a Liberty server > server create oidcServer
  • Edit server.xml with more configurations (Sample downloadable)
  • Required features
  • SSL keystore
  • User Registry
  • OpenID Server
7 First, unpack the Liberty JAR file. This creates the wlp directory. Go to the bin directory under wlp, and run the featureManager install command to install the OpenID Connect Server feature.

In the same directory, run the server create command to create a Liberty OP server. We will name this one oidcServer.

oidcServer is now created with the minimum configuration in the server.xml file. You can find the configuration in the wlp/usr/server/oidcServer directory.

Here you can see the contents of the server.xml file that we just created. The configuration is very simple, just one feature and port information. We will replace it with a server.xml file that has the OP server configuration. (Screen splits and OP config appears).

(Going through updates in the server.xml file) In this OP server configuration,
  • Required features are added.
  • A host name is added.
  • Keystore configuration is included for the SSL feature.
  • The OP maintains user accounts, so a user registry is configured.

The rest is OP configuration that uses OAuth technology. It includes information about the relying party that it performs authorization for.

You can download the server.xml file that we just added from IBM DeveloperWorks. We will start the OP server. Now that we have set up the OpenID provider, we can set up the Liberty relying party.

 Demo with a command prompt that is being used to update server.xml file.
Table 3. Demo configuring the Relying Party
Scene Audio Onscreen Action
8 To set up the relying party, just like the OP configuration, we need to have version 8.5.5.4 or later of Liberty and we will install the OpenID Client feature.

We will create a separate Liberty server and edit the server.xml file.

Then we will install the application and exchange keys with the OpenID provider for SSL communication.

 Show RP setup overview.
  1. Install WebSphere Liberty 8.5.5.4 > java -jar wlp-developers-runtime-8.5.5.4.jar
  2. Install OpenID Client feature (No download necessary) > bin/featureManager install openidConnectClient-1.0 --when-file-exists=ignore
  3. Create a Liberty server > server create oidcRP
    • Edit server.xml with more configurations (Sample downloadable)
    • Required features
    • SSL keystore
    • OpenID Client
    • Application
  1. Install application (that uses OpenID Connect) >> Copy application ear/war file under app directory
    • Exchange keys with OP for SSL communication
9 Version 8.5.5.4 of Liberty is already configured on this machine. We will install the OpenID Client feature and create a server with the name oidcRP. Here is the default server.xml file. Now, we will compare it to a server.xml file with an RP configuration. These sections - features, endpoint host name, keystores - are the same updates that we previously saw with the OP.

This time, we have an OpenID Client configuration instead of the OP server configuration. It specifies the OP URLs to send authentication requests to.

The RP configuration also includes application configuration and these applications rely on the OP to perform authentication.

Note that there is no user registry configuration on the RP. That is all the configuration needed for the RP. We will copy a test application into the app directory of the RP. Before you start the RP server, make sure that the RP and OP exchanged the keys in the keystore for SSL communication. In this demo, we will use the same keystore and same password.

Now we will start the RP server to see if we are set up correctly.

 Demo with a command prompt that is being used to update server.xml file.
Table 4. Demo testing the OP/RP setup
Scene Audio Onscreen Action
10 The OP and RP servers are already started. In a browser, we will go to the application URL. When prompted, we will enter account information from the OP. We will see the RP relying on the OP to perform authentication. Once the user is authenticated, the RP will show an application page to the user. Let's try that now. Demo testing the OP/RP setup.
  1. Start both OP and RP servers, > server start oidcServer > server start oidcRP
  2. In a browser, point to the application login page on RP > https://oidc-rp.rtp.raleigh.ibm.com:9443/testpage
  3. When prompted, enter the user ID and password that is maintained by the OP > user1 / security
  4. RP relies on OP for authentication
  5. Upon successful authentication, RP serves application page with user information.
11 In the browser, we will type in the application URL that is on the RP server. It will prompt for a user name and password. Notice that we are being prompted by the OP server because the RP is delegating the authentication to the OP.

We will enter user1 and security, which are the credentials for the OP account. Now we are successfully logged in to the application on the RP using the OP account.

 Demo with a browser login that shows a successful login into the application on the RP that is using the OP account.
Table 5. Conclusion. Show where to find more information about OpenID Connect.
Scene Audio Onscreen Action
12 For more information, visit these online resources. Show information on documentation:
WebSphere Liberty download page
https://developer.ibm.com/wasdev/downloads/liberty-profile-using-non-eclipse-environments/
OpenID Connect feature installation
Server: https://developer.ibm.com/wasdev/downloads/#asset/features-com.ibm.websphere.appserver.openidConnectServer-1.0
Client: https://developer.ibm.com/wasdev/downloads/#asset/features-com.ibm.websphere.appserver.openidConnectClient-1.0
IBM Knowledge Center - OpenID Connect main page
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_using_oidc.html
IBM DeveloperWorks (including OP/RP sample)
http://www.ibm.com/developerworks/websphere/library/techarticles/1502_odonnell/1502_odonnell.html

For more information about OpenID Connect, see Using OpenID Connect.