Creating relying party clients using the Nimbus OAuth 2.0 SDK with OpenID Connect extensions

Transcription

1 Creating relying party clients using the Nimbus OAuth 2.0 SDK with OpenID Connect extensions , Vladimir Dzhuvinov

2 Goals of the SDK Full implementation of the OIDC specs and all related OAuth 2.0 RFCs Originally created to build an OIDC provider server May also be used to build OIDC clients (relying parties) Ongoing development to stay current with latest OIDC / OAuth 2.0 / JOSE / JWT drafts

3 The OIDC protocol flows Implicit flow: authz endpoint returns ID token (optionally with inlined UserInfo claims) and access token directly to browser / client client not authenticated, minimises back-channel requests intended for mobile / browser JS apps Code flow: authz endpoint returns code code exchanged for ID token and access token at token endpoint upon client authentication intended for server based web apps

4 Implicit Flow OIDC provider server HTTP redirect with authz request query ID token (Access token) Authz Endpoint client app browser JS, mobile Access token User details (name, ,...) User Info Endpoint

5 Code Flow OIDC provider server Front-channel request through browser HTTP redirect with authz request query Code Authz Endpoint Back-channel request from app Code + client credentials ID token, Access token Access token User details (name, ,...) Token Endpoint User Info Endpoint

6 Creating an OIDC client Based on OIDC code flow Using the PayPal OIDC provider: Demonstrates: composing an authz request and redirecting to the PayPal OIDC provider exchanging the code for an ID token and access token retrieving UserInfo using the access token

7 Before we start developing Need a public HTTPS URL for the client application A free SSL cert can be quickly obtained from CACert.org Remember to install root CA certificate into your browser (CACert.org not recognised by browsers by default)

8 The double-redirect trick Allows you to develop the client app on your own machine Set a public HTTPS URL that redirects automatically to the local host URL of your app in development, e.g. redirects to =>

9 Register client app with PayPal Instructions: Record endpoint URLs, client id + secret

10 Register client app with PayPal

11 Compose OIDC authz request import com.nimbusds.oauth2.sdk.*; import com.nimbusds.oauth2.sdk.id.*; import com.nimbusds.openid.connect.sdk.*; ResponseTypeSet rts = new ResponseTypeSet(); rts.add(responsetype.code); Scope scope = new Scope(); scope.add(oidcscopetoken.openid); scope.add(oidcscopetoken. ); scope.add(oidcscopetoken.profile); ClientID clientid = new ClientID("0ddce2239c2b075732c989fc0b69d86e"); URL redirecturi = new URL(" Nonce nonce = new Nonce(8); OIDCAuthorizationRequest authzreq = new OIDCAuthorizationRequest(rts, scope, clientid, redirecturi, nonce); String querystring = authzreq.toquerystring(); URL authzendpointurl = new URL(" URL authzurl = new URL(authzEndpointURL + "?" + querystring);

12 Redirect with request to PayPal authz endpoint

13 Process the authz response at the callback URL String querystring = req.getquerystring(); OIDCAuthorizationResponse authzresponse = OIDCAuthorizationResponseParser.parse(new URL(" + querystring)); if (authzresponse instanceof OIDCAuthorizationErrorResponse) { } OIDCAuthorizationErrorResponse authzerror = (OIDCAuthorizationErrorResponse)authzResponse; out.println("authorization error: " + authzerror.geterrorobject()); return; OIDCAuthorizationSuccessResponse authzsuccess = (OIDCAuthorizationSuccessResponse)authzResponse; AuthorizationCode code = authzsuccess.getauthorizationcode();

14 Exchange the authz code for ID token and access token URL tokenendpointurl = new URL(" ClientID clientid = new ClientID("0ddce2239c2b075732c989fc0b69d86e"); Secret clientsecret = new Secret(" b29d8ec57"); ClientAuthentication clientauth = new ClientSecretBasic(clientID, clientsecret); AccessTokenRequest accesstokenrequest = new AccessTokenRequest(code, null, clientauth); HTTPRequest httprequest = accesstokenrequest.tohttprequest(tokenendpointurl); HTTPResponse httpresponse = httprequest.process(); OIDCTokenResponse tokenresponse = OIDCTokenResponseParser.parse(httpResponse); if (tokenresponse instanceof OIDCTokenErrorResponse) { OIDCTokenErrorResponse tokenerror = (OIDCTokenErrorResponse)tokenResponse; out.println("token error: " + tokenerror.geterrorobject()); return; } OIDCAccessTokenResponse tokensuccess = (OIDCAccessTokenResponse)tokenResponse; AccessToken accesstoken = tokensuccess.getaccesstoken(); RefreshToken refreshtoken = tokensuccess.getrefreshtoken(); SignedJWT idtoken = (SignedJWT)tokenSuccess.getIDToken();

15 Validate and extract ID token claims using the Nimbus JOSE + JWT lib MACVerifier hmacverifier = new MACVerifier(clientSecret.getValue().getBytes()); boolean valid = idtoken.verify(hmacverifier); out.println("id token is valid: " + valid); JSONObject jsonobject = idtoken.getjwtclaimsset().tojsonobject(); out.println("id token [claims set]: \n" + new PrettyJson().format(jsonObject)); ID token claims: { "auth_time" : , "exp" : 28800, "nonce" : "O8WV06qo", "aud" : [ "0ddce2239c2b075732c989fc0b69d86e" ], "iss" : " "user_id" : " "iat" : , "sessionindex" : "f27855f6e7844f989b4c575cdc9c47d71fdd6b24" }

16 Get UserInfo with access token // Note: The PayPal IdP uses an older OIDC draft version and // is at present not compatible with the Nimbus OIDC SDK so // we cannot use its helper call. We can however make a direct // call and simply display the raw data. URL userinfoendpointurl = new URL(" // Append the access token to form actual request URL userinforequesturl = new URL(userinfoEndpointURL, "?schema=openid&access_token=" + accesstoken.getvalue()); UserInfo: { "family_name" : "Dzhuvinov", "zoneinfo" : "Europe\/Berlin", "name" : "Vladimir Dzhuvinov", " " : "vladimir@dzhuvinov.com", "given_name" : "Vladimir", "user_id" : " }

17 Resources OIDC specs: OIDC SDK: JOSE+JWT SDK: Client app source: Test client app online: