OpenID Connect 1.0 (OIDC) is a simple identity protocol over OAuth 2.0. You can configure your Liberty applications to use Single Sign-on with Google so that users of your applications can log in with their Google accounts.

Authors: Bill O’Donnell (bill.odonnell@us.ibm.com), Chunlong Liang (liangch@us.ibm.com), Hiroko Takamiya (htakamiy@us.ibm.com)

OpenID Connect (OIDC) is becoming the accepted Internet Single Sign-on (SSO) protocol, and it works well with cloud, mobile, and native applications. OIDC lets a client application (such as a cloud or mobile application) request the identity of the user as an ID token in a standardized, REST-like manner. In addition, the client application can use access tokens to access REST-like Services.

Liberty can be configured as an OpenID Connect Provider or as a OpenID Connect Relying Party:

  • Liberty OIDC Provider – A dedicated Liberty instance can be configured as an OIDC provider (OP) and a Single Sign-on (SSO) server. Any client application can call an OP-hosted RESTful security service to request or verify end user identity and user profiles.
  • Liberty OIDC Relying Party – A Liberty instance can be configured as an OIDC relying party to take advantage of web SSO and use an OIDC provider as an identity provider. The Liberty security container can then call an OIDC OP to verify the identity of the end-user, instead of having the Liberty security container handle the user verification.

Configuring Liberty for Single Sign-on with Google

This article shows how to configure Liberty as an OIDC relying party to work with Google OpenID Connect provider. With this configuration, Liberty profile delegates user authentication to the Google OpenID Connect provider, and the application user is authenticated with their Google account. For more information, see our developerWorks article.

  1. Create a Liberty profile server, and name it googleRP. Find the server.xml file at <liberty_root>/usr/servers/googleRP/server.xml, open it in an editor, and make the following changes:
    1. Add the required features:
          <featureManager>       
              <feature>ssl-1.0</feature>
              <feature>jsp-2.2</feature>
              <feature>servlet-3.0</feature>
              <feature>appSecurity-2.0</feature>
              <feature>openidConnectClient-1.0</feature>
          </featureManager>
         
    2. Create the SSL keystore. It will be used as the keyStore for SSL connection between the browser and the Liberty server, and as the truststore for Liberty server to make an SSL connection to Google:
          <keyStore id="defaultKeyStore" password="keyspass" />
       

      The default keystore file is located at <liberty_root>/usr/servers/googleRP/resources/security/key.jks. In addition to storing the Liberty server certificate, you will import Google’s SSL certificate for https://www.googleapis.com/oauth2/v3/token into this key store in the next step.

    3. Import the SSL certificate for Google’s token endpoint
      1. Download the Google G3 signer certificate:
        1. In a browser, navigate to Google Trust Services, Repository of Documentation and Certificates
        2. Right click on and dowload the DER file associated with GTS GIAG3
          • If you left click on DER, the certificate will be installed on your browser and that is not what you intend to do.
          • The file name is GTSGIAG3.crt
      2. Import the Google G3 certificate into your Liberty server keystore:
        1. Change directory to <liberty_root>/usr/servers/googleRP/resources/security
        2. Run the following command to import the certificate:
          keytool -importcert -keystore key.jks -storepass keyspass -alias googleG3 -file (path)/GTSGIAG3.crt -noprompt
          

          Note that keyspass is the password provided for the defaultKeyStore in the previous step.

    4. Add the OpenID Connect client configuration, which defines how and where to request the user’s ID Token from Google:
          <openidConnectClient id="googleRP"  
                 scope="openid profile email"
                 clientId="replace with your google client ID"
                 clientSecret="replace with your Google’s client secret"
                 authorizationEndpointUrl="https://accounts.google.com/o/oauth2/auth"
                 tokenEndpointUrl="https://www.googleapis.com/oauth2/v3/token" 
                 jwkEndpointUrl="https://www.googleapis.com/oauth2/v2/certs"
                 issuerIdentifier="accounts.google.com"
                 signatureAlgorithm="RS256"
                 userIdentityToCreateSubject="email">
          </openidConnectClient>
         

    We will come back to fill in both clientId and clientSecret after we register the Liberty server in Google. When you register Liberty profile in Google, you will need provide a URL to Google as callback, which is called as a redirect URL in OpenID Connect.

    The Liberty RP uses this pattern https://<hostname>:<sslport>/oidcclient/redirect/<openidConnecClient id> to generate its own redirect URL. For the OpenID Connect Client we just created, the redirect URL (assuming SSL port is 8020) is https://localhost:8020/oidcclient/redirect/googleRP

    Write down this URL, which is the only information we need to give to Google.

  2. Configure the secured application. In this article, we deploy a very simple application, testpage.war to the server and we define security role mapping like this:

      <application type="war" id="testpage" name="testpage" location="${server.config.dir}/apps/testpage.war">
        <application-bnd>
          <security-role name="All Role">
             <special-subject type="ALL_AUTHENTICATED_USERS" />
          </security-role>
        </application-bnd>
      </application>
     

    With Google OP, we can only map security role to all users with Google accounts. If fine-grained authorization is required, you will need to provide an account mapping in Liberty.

    The sample application is available from developerWorks

  3. Register Liberty profile as an OAuth client in Google OpenID Connect Provider

    1. Access Google’s developers console
    2. Create new project, and enter your project name.
    3. Open your Google project, go to APIs & auth > Credentials
    4. Go to Create new Client ID, and you may need create Consent Form if you have not created one before.
    5. Write down the values of both CLIENT ID and CLIENT SECRET, and you will need edit the Liberty server.xml file to use those two values.
    6. Edit REDIRECT URIS to add Liberty profile’s redirect URL. In this demo, it is https://localhost:8020/oidcclient/redirect/googleRP
    7. Now, save your Google project and configuration, and your Google setup is completed.
  4. Open Liberty server.xml file, edit both clientId and clientSecret, and replace them with what you just got from Google Developers Console.
    Validate the setup for Liberty profile as Google OpenID Connect’s relying party

    1. Start Liberty profile: <liberty_root>/bin/server start googleRP
    2. Point web browser to: https://localhost:8020/testpage/
    3. Follow the instructions. At the end, you should see a page that displays your Google Gmail account name.

    Sample server.xml

     <server>
        <featureManager>
            <feature>ssl-1.0</feature>
            <feature>jsp-2.2</feature>
            <feature>servlet-3.0</feature>
            <feature>appSecurity-2.0</feature>
            <feature>openidConnectClient-1.0</feature>
        </featureManager>
        <openidConnectClient id="googleRP"  
               scope="openid profile email"
               clientId="paste your Google’s CLIENT ID"
               clientSecret="paste your Google’s CLINT SECRET "
               authorizationEndpointUrl="https://accounts.google.com/o/oauth2/auth"
               tokenEndpointUrl="https://www.googleapis.com/oauth2/v3/token" 
               jwkEndpointUrl = "https://www.googleapis.com/oauth2/v2/certs"
               issuerIdentifier="accounts.google.com"
               signatureAlgorithm="RS256"
               userIdentityToCreateSubject ="email">
        </openidConnectClient>
        <keyStore id="defaultKeyStore" password="keyspass" />  
        <httpEndpoint host="localhost" httpPort="8011" httpsPort="8021" id="defaultHttpEndpoint"/>
        
            <application type="war" id="testpage" name="testpage" location="${server.config.dir}/apps/testpage.war">
                <application-bnd>
                    <security-role name="All Role">
                        <special-subject type="ALL_AUTHENTICATED_USERS" />
                    </security-role>
                </application-bnd>
            </application>
    </server>
     

14 comments on"Single sign-on with Google on Liberty"

  1. Vijay Kumar May 03, 2019

    This is great article. I am curious to know how token and session management is done for application and do you have any article that covers the cluster environment implementations.

  2. For clarity, please include the OAuth 2.0 Flow being used, and include the openidConnectClient responseType parameter. Thanks!

  3. Jens Faeustl April 13, 2017

    First of all, like that article. but I do have a problem with the SSL communication. My AppServer (Liberty) telling my, that the CertSigner “CN=*.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US” is not in my keystone. I downloaded Google Cert from https://accounts.google.com and imported into my keystore.

    PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    [ERROR ] CWPKI0022E: FEHLER BEIM SSL-HANDSHAKE: Es wurde ein Unterzeichner mit dem SubjectDN CN=*.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US vom Zielhost gesendet. Der Unterzeichner muss dem lokalen Truststore /Users/jensfaustl/wlp/usr/servers/defaultServer/resources/security/key.jks im SSL-Konfigurationsalias defaultSSLConfig hinzugefĂĽgt werden. Die erweiterte Fehlernachricht aus der SSL-Handshake-Ausnahme lautet wie folgt: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    [ERROR ] CWWKS1708E: Der OpenID Connect-Client [915261505398-q13oa5i12t01jvje67ft5qui51rfmg2q.apps.googleusercontent.com] kann keine Verbindung zum OpenID Connect-Provider unter [https://www.googleapis.com/oauth2/v3/token] herstellen, um ein ID-Token zu empfangen. Ursache: [java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target].

    Do you have any idea why?
    TX
    Jens

  4. Chunlong Liang March 30, 2016

    If you want to have fine grained authorization, you can assign security role to each group user. However, you can not assign role to group as Google OpenID Connect provider does not emit group membership in id token. If you want to assign role to group, you can configure a LDAP registry for Liberty, and have Liberty to map Google account to LDAP.

    The following is a sample configuration to assign role to two Google users:

  5. Peter Nguyen March 30, 2016

    Never mind. The question is out of scope of this tutorial.

  6. Peter Nguyen March 29, 2016

    It’s a great article. I have a question. Pretend that I use OpenID to authenticate for just 2 users (namely, pssex01@gmail.com, yun14@gmail.com). In the section of server.xml above, you indicated,

    How would you implement for just 2 users instead of ALL_AUTHENTICATED_USERS ?

  7. Is there a similar article on doing this with the full WebSphere profile? I’ve tried this with a WebSphere version 8.5.5.5 profile and get a null refresh_token error when trying to use Google for authentication. This is in the trace. SessionData > setAccessToken(token [ya29.WgKth4hc6Rl3tcx2P7P4JdYcuimsxIyfqR40BEUKzDqXfjIUw_xvrfJ28uCqat-hiqwo]) Entry
    SessionData getJsonValue(jobj[not null],key[refresh_token]) Entry
    RelyingPartyU 3 Did not find the value for the provided key [refresh_token] in json object

  8. Thank you for your very useful article. Its not clear how do one do this step. Can you pls elaborate ?

    In addition to storing the Liberty server certificate, you will need to import Google’s certificate to this key store.

    • Chunlong Liang August 05, 2015

      You can use Firefox browser to import Google OP’s certificate to your keystore. Here are steps:
      1. From firefox, enter https://accounts.google.com
      2. Left click the lock in the front of https
      3. click “more information”
      4. Click “Security”
      5. Click “View Certificate”
      6. Click “Details”
      7. Click “Export”
      8. Save

      After that, you can use java keytool or other keytool (like iKeyman) to import Google’s certificate to your local keyStore.

  9. Just wondering about step 6 (copied below) – is that redirect URI the one used in step 4 of Figure 2 in your developerWorks article?

    6. Edit REDIRECT URIS to add Liberty profile’s redirect URL. In this demo, it is https://localhost:8020/oidcclient/redirect/googleRP

    • Chunlong Liang March 20, 2015

      Yes, that is Liberty profile’s redirect URL. Liberty profile redirect URL is like https://:/oidcclient/redirect/. If you have multiple openidConnecClient defined in Liberty server.xml, make sure you use the correct ID (You could define multiple IDs to single-sign-on with different OpenID Connect providers).

Join The Discussion

Your email address will not be published. Required fields are marked *