1) Create a new client in the Google developer console
The first step is to create a new client in the Google developer console to represent the Apache CXF Fediz IdP. Login to the Google developer console and create a new project. Click on "Enable and Manage APIs" and then select "Credentials". Click on "Create Credentials" and select "OAuth client id". Configure the OAuth consent screen and select "web application" as the application type. Specify "https://localhost:8443/fediz-idp/federation" as the authorized redirect URI. After creating the client, a pop-up window will specify the newly created client id and secret. Save both values locally. The Google documentation is available here.
2) Testing the newly created Client
It's possible to see the Google OpenId Connect configuration by navigating to:
- curl -u <client-id>:<secret> --data "client_id=<client-id>&grant_type=authorization_code&code=<code>&redirect_uri=https://localhost:8443/fediz-idp/federation" https://www.googleapis.com/oauth2/v4/token
3) Install and configure the Apache CXF Fediz IdP and sample Webapp
Follow a previous tutorial to deploy the latest Fediz IdP + STS to Apache Tomcat, as well as the "simpleWebapp". Note that you will need to use Fediz 1.3.0 here for OpenId Connect support. Test that the "simpleWebapp" is working correctly by navigating to the following URL (selecting "realm A" at the IdP, and authenticating as "alice/ecila"):
Now we will configure the Fediz IdP to authenticate the user in "realm B" by using the OpenID Connect protocol. Edit 'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. In the 'idp-realmA' bean:
- Change the port in "idpUrl" to "8443".
- Change the "url" value to "https://accounts.google.com/o/oauth2/v2/auth".
- Change the "protocol" value to "openid-connect-1.0".
- Delete the "certificate" and "trustType" properties.
- Add the following parameters Map, filling in a value for the client secret extracted above: <property name="parameters">
<entry key="client.id" value="<client-id>" />
<entry key="client.secret" value="<secret>" />
<entry key="token.endpoint" value="https://accounts.google.com/o/oauth2/token" />
<entry key="scope" value="openid profile email"/>
<entry key="jwks.uri" value="https://www.googleapis.com/oauth2/v3/certs" />
<entry key="subject.claim" value="email"/>
3.2) Update the TLS configuration
By default, the Fediz IdP is configured with a truststore required to access the Fediz STS. However, this would mean that the requests to the Google IdP over TLS will not be trusted. to change this, edit 'webapps/fediz-idp/WEB-INF/classes/cxf-tls.xml', and change the HTTP conduit name from "*.http-conduit" to "https://localhost.*". This means that this configuration will only get picked up when communicating with the STS (deployed on "localhost"), and the default JDK truststore will get used when communicating with the Google IdP.
3.3) Update Fediz STS claim mapping
The STS will receive a SAML Token created by the IdP representing the authenticated user. The Subject name will be the email address of the user as configured above. Therefore, we need to add a claims mapping in the STS to map the principal received to some claims. Edit 'webapps/fediz-idp-sts/WEB-INF/userClaims.xml' and just copy the entry for "alice" in "userClaimsREALMA", changing "alice" to your Google email address.
Finally, restart Fediz to pick up the changes (you may need to remove the persistent storage first).
4) Testing the service
To test the service navigate to: