Skip to content

Latest commit

 

History

History
77 lines (61 loc) · 5.22 KB

File metadata and controls

77 lines (61 loc) · 5.22 KB

Setup for simple-oidc-check:

simple-oidc-check is a gradle project. Its also a submodule of pingfed-automation.
It should have been already built. But we are going to build it more completely now.
Its a simple servlet based project.
We are going to use this project to verify if we are able to obtain some access tokens from pingfederate.
In command prompt or terminal continue being at pingfed-automation folder. Run ".\gradlew demo1-fullbuild".

simple_oidc_check

Build should show up like this.

simple_oidc_check_ant_res

In case of difficulty edit tomcat.ver property in the build.xml file.

Start Tomcat

In command prompt or terminal staying at pingfed-automation folder run ".\gradlew demo1-start-tomcat".

start_tomcat

This should result in
started_tomcat

Can also do this- Navigate into build/apache-tomcat-${tomcat.ver}/bin folder and run startup.bat or startup.sh.

Once this tomcat has started pls visit http://localhost:8080/
localhost_8080
In case you see messages of could not connect please ensure pingdirectory and pingfederate is running.

Click on the "Protected...- link -(Authorization code grant flow).

We have two configurations for essentially same oidc server.
So in next screen it will prompt for selecting the oidc server.
oidcselect
Click on the first "Start" link. This will start and verify the authorization code flow.
authorization_code1
Note: Use "password" for password Then
authorization_code2
Uncheck foo scope item.
authorization_code3
Press Allow button.
Next screen should be this.
protected
Note: As can be seen in above screen in our authorization code sample for convenience treating scope as the user roles. Thats why it says false against foo. But true against bar.
Also Note: Security can be applied against scope and also roles treating both as different concepts.
Look at the console to see the access token and other details.
This above application demonstrates the authorisation code flow.
The improvment areas are :

  • Caching of jwks and the introspection.
  • use of refresh token.
    Could be done in different ways. Steering away from it for now.
Click on the "Try" link -(Client credentials grant flow).

It should take you to another access token via client credentials grant flow.
If all worked correctly congrats.

About:

  • Its a simple sample demonstration of Authorization code flow.
  • It uses tomcat security and a custom realm underneath.
  • It does not rely on HttpSessions but the JEE container security.
  • For convenience treating scope as the user roles.
  • Security can be applied against scope and also roles treating both as different concepts.
  • The improvment areas are :
    • Caching of jwks and the introspection.
    • use of refresh token.
    • Could be done in different ways. Steering away from it for now.
  • Similar implementations should be possible for rest apis also using same logic.
  • This implementation sample should also be compatible with other OIDC providers. Not doing anything specific to ping federate in this sample.
  • Keep in mind this is is a working implementation to help demonstrate and understand Authorization code flow. Also used it to test the pingfederate setup.
  • Could not find another similar tomcat based demo except - https://github.com/boylesoftware/tomcat-oidcauth. Unlike this project we are not using HttpSessions in our demo.
  • Similar implementations should be possible for application containers other than tomcat using same logic. Could even implement same approach in spring if needed.
  • Note: In java spring world it is generally recommended to use spring security for implementing the Authorization code flow. Lots of articles exist on that topic. Also providing a springboot angular demo in this repository as second example.