The
previous post showed how to configure
the Fediz IdP to interoperate with the Google OpenID Connect provider. In addition to supporting WS-Federation, SAML SSO and OpenID Connect, from the forthcoming 1.3.1 release the Fediz IdP will also
support authenticating users via Facebook Connect. Facebook Connect is based on OAuth 2.0 and hence the implementation in Fediz shares quite a lot of common code with the OpenID Connect implementation. In this post, we will show how to configure the Fediz IdP to interoperate with Facebook.
1) Create a new app in the Facebook developer console
The first step is to create a new application in the Facebook developer console.
Create a Facebook developer account. Login and register as a Facebook developer. Click on "My Apps" and "Add a New App". Select the "website" platform and create a new app with the name "Fediz IdP". Enter your email, select a Category and click on "Create App ID". Enter "https://localhost:8443/fediz-idp/federation" for the Site URL. Now go to the dashboard for the application and copy the App ID + App Secret and save for later.
2) Testing the newly created Client
To test that everything
is working correctly, open a web browser and navigate to, substituting the client id saved in step "1" above:
- https://www.facebook.com/dialog/oauth?response_type=code&client_id=<app-id>&redirect_uri=https://localhost:8443/fediz-idp/federation&scope=email
Login using your Facebook credentials and grant permission on the OAuth
consent screen. The browser will then attempt a redirect to the given
redirect_uri. Copy the URL + extract
the "code" query String. Open a terminal and invoke the following
command, substituting in the secret and code extracted above:
- curl --data
"client_id=<app-id>&client_secret=<app-secret>&grant_type=authorization_code&code=<code>&redirect_uri=https://localhost:8443/fediz-idp/federation" https://graph.facebook.com/v2.6/oauth/access_token
You should see a successful response containing the OAuth 2.0 Access Token.
3) Install and configure the Apache CXF Fediz IdP and sample Webapp
Follow a
previous tutorial
to deploy the latest Fediz IdP + STS to Apache Tomcat, as well as the
"simpleWebapp". Note that you will need to use at least Fediz 1.3.1-SNAPSHOT here for Facebook support. Test that the
"simpleWebapp" is working correctly by
navigating to the following URL (selecting "realm A" at the IdP, and
authenticating as "alice/ecila"):
- https://localhost:8443/fedizhelloworld/secure/fedservlet
3.1) Configure the Fediz IdP to communicate with the Facebook IdP
Now we will configure the Fediz IdP to authenticate the user in "realm
B" by using the Facebook Connect protocol. Edit
'webapps/fediz-idp/WEB-INF/classes/entities-realma.xml'. In the 'idp-realmA' bean:
- Change the port in "idpUrl" to "8443".
In the 'trusted-idp-realmB' bean:
- Change the "url" value to "https://www.facebook.com/dialog/oauth".
- Change the "protocol" value to "facebook-connect".
- Delete the "certificate" and "trustType" properties.
- Add the following parameters Map, filling in a value for the client secret extracted above: <property name="parameters">
<util:map>
<entry key="client.id" value="<app-id>" />
<entry key="client.secret" value="<app-secret>" />
</util:map>
</property>
It is possible to specify custom scopes via a
"scope" parameter. The default value for this parameter is "email". The token endpoint can be configured via a "token.endpoint" parameter (defaults to "https://graph.facebook.com/v2.6/oauth/access_token"). Similarly, the API endpoint used to retrieve the user's email address can be configured via "api.endpoint", defaulting to "https://graph.facebook.com/v2.6". The Subject claim to be used to insert into a SAML Assertion is defined via "subject.claim", which defaults to "email".
3.2) Update the TLS configuration
By default, the Fediz IdP is configured with a truststore required to
access the Fediz STS. However, this would mean that the requests to the Facebook IdP over TLS will not be trusted. to change this, edit
'webapps/fediz-idp/WEB-INF/classes/cxf-tls.xml', and change the HTTP
conduit name from "*.http-conduit" to "https://localhost.*". This means
that this configuration will only get picked up when communicating with
the STS (deployed on "localhost"), and the default JDK truststore will
get used when communicating with the Facebook IdP.
3.3) Update Fediz STS claim mapping
The STS will receive a SAML Token created by the IdP representing the
authenticated user. The Subject name will be the email address of the
user as configured above. Therefore, we need to add a claims mapping in
the STS to map the principal received to some claims. Edit
'webapps/fediz-idp-sts/WEB-INF/userClaims.xml' and just copy the entry
for "alice" in "userClaimsREALMA", changing "alice" to your email
address used to log into Facebook.
Finally, restart Fediz to pick up the changes (you may need to remove the persistent storage first).
4) Testing the service
To test the service navigate to:
- https://localhost:8443/fedizhelloworld/secure/fedservlet
Select "realm B". You should be redirected to the Facebook
authentication page. Enter the user credentials you have created. You
will be redirected to Fediz, where it creates a SAML token representing the act of authentication via the trusted third party IdP, and redirects to the web
application.