-
Notifications
You must be signed in to change notification settings - Fork 766
Sample Static Configuration for using Google Authentication
Google does not allow dynamic client registration, but is otherwise compliant with the OpenID Connect protocol. You have to have the Google+ API enabled in your Google Developer Console order for this to work. There you create
The following example is based on making the sample simple-web-app to work with a Static configuration that uses Google Authentication, one can extrapolate from this to get a Hybrid configuration working. The updates shown here were done to the src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
file (see client configuration).
-
Set the Authentication Filter to use your configurations, in this sample Static configurations:
<bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="issuerService" ref="staticIssuerService" /> <property name="serverConfigurationService" ref="dynamicServerConfigurationService" /> <property name="clientConfigurationService" ref="staticClientConfigurationService" /> <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" /> <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" /> </bean>
-
Setup your issuer to be
https://accounts.google.com
. This example uses the static issuer service; note the effect of this on the simple client is that it will basically ignore anything you type on the entry box during Login. To use multiple issuers, use a different issuer service and have a selector page where one of the options ishttps://accounts.google.com
.<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService"> <property name="issuer" value="https://accounts.google.com" /> </bean>
-
Google's server configuration can be discovered dynamically from the issuer.
<bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
-
Finally, you must statically configure your client to work with Google requirements. Replace anything called "my-*" with your actual values, obtained from your Google API via the Google Developers Console.
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService"> <property name="clients"> <map> <entry key="https://accounts.google.com"> <bean class="org.mitre.oauth2.model.RegisteredClient"> <property name="clientName" value="my-client-name" /> <property name="clientId" value="my-google-client-id-from-console" /> <property name="clientSecret" value="my-google-client-secret-from-console" /> <property name="scope"> <set value-type="java.lang.String"> <value>openid</value> <value>email</value> <value>profile</value> </set> </property> <property name="redirectUris"> <set> <value>https://my-redirect-uri-setup-in-google/</value> </set> </property> </bean> </entry> </map> </property> </bean>
Software is available under the Apache 2.0 license. Documentation available under the Creative Commons 3.0 By-NC license.