The OAuth login module is a planned login facility providing access to third party OAuth-2.0 and OpenID/Connect Services.
For OpenID/Connect authorization providers we may also act as a resource provider, which validates ID tokens presented by external clients.The login service might also be configured to accept access tokens of issued to third parties by an authorization provider.
Configuration
The org.clazzes.login.oauth HttpLoginService is configured by the standard OSGi configuration service using the properties mentioned below:
Property | Description |
---|---|
sessionCookie | The name of the cookie to set in user agents. |
sessionTimeout | The timeout for cookie-based sessions in minutes. Sessions inactive for this time interval will be purged including all access/refresh/ID tokens requested from an OAuth/OpenID Provider. |
secureCookie | The secure flag of the issued cookie. Set this value to true, if your are located behind an SSL-terminated ReverseProxy. |
domain.<domain>.label | The mandatory human-readable label for the configured domain with identifier <domain>. |
domain.<domain>.authorizationLocation | The OAuth2 authorization endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation |
domain.<domain>.tokenLocation | The OAuth2 token endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation |
domain.<domain>.userLocation | The optional OAuth2 userinfo endpoint URL. This value does not need to be set for full-featured OpenID Providers, where this value is fetched from the specified configurationLocation |
domain.<domain>.configurationLocation | The well-known OpenID Connect configuration location. |
domain.<domain>.faviconLocation | The optional favicon location for domain, which doe not have a /favicon.ico resource on the root of their authorization web host. |
domain.<domain>.clientId | The client ID of our application as registered at the OAuth Provider. |
domain.<domain>.clientPassword | The password for the client ID of our application as registered at the OAuth Provider. |
domain.<domain>.scope | The mandatory scope to pass to the authorization endpoint. |
domain.<domain>.prompt | The optional prompt value to pass to the authorization endpoint. |
domain.<domain>.responseType | The optional response type to pass to the authorization endpoint. |
domain.<domain>.options | Comma-separated list of options from the set
|
Examples
github.com
Github implements OAuth2 and is not a full-features OpenID Connect provider.
Property | Value |
---|---|
domain.GITHUB.authorizationLocation | http://github.com/login/oauth/authorize |
domain.GITHUB.userLocation | https://api.github.com/user |
domain.GITHUB.label | github.com |
domain.GITHUB.clientId | Cleint ID a registered under 'Authorized OAuth Apps' https://github.com/settings/applications |
domain.GITHUB.clientPassword | Password of the above mentioned client ID. |
domain.GITHUB.tokenLocation | https://github.com/login/oauth/access_token |
domain.GITHUB.scope | user |
google.com
Google implements a clean OpenID Connect provider with no hazzles.
Property | Value |
---|---|
domain.GOOGLE.clientId | Client ID as registered under https://console.developers.google.com/apis/credentials |
domain.GOOGLE.clientPassword | |
domain.GOOGLE.configurationLocation | https://accounts.google.com/.well-known/openid-configuration |
domain.GOOGLE.label | google.com |
domain.GOOGLE.scope | openid profile email |
domain.GOOGLE.accessType | offline |
domain.GOOGLE.prompt | consent |
Further Readings
OpenID 1.0 Specification: http://openid.net/specs/openid-connect-core-1_0.html
...
IANA registry of JSON Web Token Claims: https://www.iana.org/assignments/jwt/jwt.xhtml
RFCs
RFC 7515, JSON Web Signature (JWS), https://tools.ietf.org/html/rfc7515
...