Skip to content

Sample Static Configuration for using Google Authentication

Jump to bottom Edit New page
jricher edited this page Dec 22, 2014 · 7 revisions

Google has a couple non-standard behaviors that had to be addresses as a special case, thus you can't really use all the types of server configurations, and will be limited to Hybrid or Static where Google is setup in a particular way.

The following example is based on making the sample simple-web-app to work with a Static configuration that uses Google Authentication, one can extrapolate from this to get a Hybrid configuration working. The updates shown here were done to the src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml file (see client configuration).

  1. Set the Authentication Filter to use your configurations, in this sample Static configurations:

    <bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
   <property name="authenticationManager" ref="authenticationManager" />

   <property name="issuerService" ref="staticIssuerService" />
   <property name="serverConfigurationService" ref="staticServerConfigurationService" />
   <property name="clientConfigurationService" ref="staticClientConfigurationService" />
   <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
   <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
</bean>

  2. Setup your issuer to be "Google". Not the effect of this on the simple client is that it will basically ignore anything you type on the entry box during Login.

    <bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
   <property name="issuer" value="accounts.google.com" />
</bean>

  3. Configure the Google Server entry to use the OAuth2.0/OIDC endpoints Google uses. This is where the non-standard behaviors are addressed. The "issuer" is not prefixed with "https://" and thus a static configuration is needed, and Google processing does not ignore the "nonce" parameter, which required the audition of the "nonceEnabled" property.

    <bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService" id="staticServerConfigurationService">
   <property name="servers">

                                                                              <property name="tokenEndpointUri"   value="https://accounts.google.com/o/oauth2/token" />                                                                                   ```

  1. Finally, you must configure your client to work with Google requirements. Replace anything called "my-*" with your actual values, obtained from your Google API via the Google Developers Console. 
    <bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
   <property name="clients">
      <map>
         <entry key="accounts.google.com">
            <bean class="org.mitre.oauth2.model.RegisteredClient">
               <property name="clientName" value="my-client-name" />
               <property name="clientId" value="my-google-client-id-from-console" />
               <property name="scope">
                  <set value-type="java.lang.String">
                     <value>openid</value>
                     <value>email</value>
                     <value>profile</value>
                  </set>
               </property>
               <property name="tokenEndpointAuthMethod" value="SECRET_POST" />
               <property name="redirectUris">
                  <set>
                     <value>https://my-redirect-uri-setup-in-google/</value>
                  </set>
               </property>
             </bean>
         </entry>
      </map>
    </property>
</bean>

Software is available under the Apache 2.0 license. Documentation available under the Creative Commons 3.0 By-NC license.

Links

Development

Clients

Protected Resources

Servers

Clone this wiki locally