simple-oidc-check is a gradle project. Its also a submodule of pingfed-automation.
It should have been already built. But we are going to build it more completely now.
Its a simple servlet based project.
We are going to use this project to verify if we are able to obtain some access tokens from pingfederate.
In command prompt or terminal continue being at pingfed-automation folder. Run ".\gradlew demo1-fullbuild".
Build should show up like this.
In case of difficulty edit tomcat.ver property in the build.xml file.
In command prompt or terminal staying at pingfed-automation folder run ".\gradlew demo1-start-tomcat".
On linux may have to do this extra step - "sudo chmod +x build/apache-tomcat-10.0.18/bin/startup.sh".
On linux may have to do this extra step - "sudo chmod +x build/apache-tomcat-10.0.18/bin/catalina.sh".
On linux may have to do this extra step - "sudo chmod +x build/apache-tomcat-10.0.18/bin/shutdown.sh".
Then on linux use "sudo ant start-tomcat".
This should result in
Can also do this- Navigate into build/apache-tomcat-${tomcat.ver}/bin folder and run startup.bat or startup.sh.
Once this tomcat has started pls visit http://localhost:8080/
In case you see messages of could not connect please ensure pingdirectory and pingfederate is running.
We have two configurations for essentially same oidc server.
So in next screen it will prompt for selecting the oidc server.
Click on the first "Start" link. This will start and verify the authorization code flow.
Note: Use "password" for password
Then
Uncheck foo scope item.
Press Allow button.
Next screen should be this.
Note: As can be seen in above screen in our authorization code sample for convenience treating scope as the user roles. Thats why it says false against foo. But true against bar.
Also Note: Security can be applied against scope and also roles treating both as different concepts.
Look at the console to see the access token and other details.
This above application demonstrates the authorisation code flow.
The improvment areas are :
- Caching of jwks and the introspection.
- use of refresh token.
Could be done in different ways. Steering away from it for now.
It should take you to another access token via client credentials grant flow.
If all worked correctly congrats.
- Its a simple sample demonstration of Authorization code flow.
- It uses tomcat security and a custom realm underneath.
- It does not rely on HttpSessions but the JEE container security.
- For convenience treating scope as the user roles.
- Security can be applied against scope and also roles treating both as different concepts.
- The improvment areas are :
- Caching of jwks and the introspection.
- use of refresh token.
- Could be done in different ways. Steering away from it for now.
- Similar implementations should be possible for rest apis also using same logic.
- This implementation sample should also be compatible with other OIDC providers. Not doing anything specific to ping federate in this sample.
- Keep in mind this is is a working implementation to help demonstrate and understand Authorization code flow. Also used it to test the pingfederate setup.
- Could not find another similar tomcat based demo except - https://github.com/boylesoftware/tomcat-oidcauth. Unlike this project we are not using HttpSessions in our demo.
- Similar implementations should be possible for application containers other than tomcat using same logic. Could even implement same approach in spring if needed.
- Note: In java spring world it is generally recommended to use spring security for implementing the Authorization code flow. Lots of articles exist on that topic. Also providing a springboot angular demo in this repository as second example.