Skip to content

Latest commit

 

History

History
368 lines (213 loc) · 12.5 KB

security-openid-connect-providers.adoc

File metadata and controls

368 lines (213 loc) · 12.5 KB

Configuring Well-Known OpenID Connect Providers

Introduction

If you use OpenID Connect Authorization Code Flow to protect Quarkus endpoints, then you need to configure Quarkus to tell it how to connect to OpenID Connect providers, how to authenticate to such providers, which scopes to use, and so on.

Sometimes you need to use the configuration to work around the fact that some providers do not implement OpenID Connect completely or when they are in fact OAuth2 providers only.

The configuration of such providers can become complex, very technical and difficult to understand.

quarkus.oidc.provider configuration property has been introduced to refer to well-known OpenID Connect and OAuth2 providers. This property can be used to refer to a provider such as github with only a minimum number of customizations required, typically, an account specific client id, client secret and some properties have to be set to complete the configuration.

This property can be used in application.properties, in multi-tenant set-ups if more than one provider has to be configured (for example, see Quarkus Renarde security documentation), in custom TenantConfigResolvers if the tenant configurations are created dynamically.

Well Known Providers

GitHub

In order to set up OIDC for GitHub you need to create a new OAuth application in your GitHub developer settings:

oidc github 1

Make sure to fill in the appropriate details, but more importantly the Authorization Callback URL, set to http://localhost:8080/_renarde/security/github-success (if you intend to test this using the Quarkus DEV mode).

Now click on Register application and you’ll be shown your application page:

oidc github 2

You need to click on Generate a new client secret, confirm your credentials, and write down your Client ID and Client secret (especially that one, because you will not be able to see it again later from that page, but you can always recreate one, do don’t worry too much):

oidc github 3

Now add the following configuration to your application.properties:

quarkus.oidc.provider=github
quarkus.oidc.client-id=<Client ID>
quarkus.oidc.credentials.secret=<Secret>
Tip
You can also use GitHub provider with quarkus.oidc.application-type=service, just set quarkus.oidc.verify-access-token-with-user-info configuration property to true.

Google

In order to set up OIDC for Google you need to create a new project in your Google Cloud Platform console:

Pick a project name and click on CREATE.

oidc google 1

Now make sure you select your project in the top selector, and click on the left-hand bar menu on APIs and Services > OAuth consent screen:

oidc google 2

Select External to authorise any Google user to log in to your application and press CREATE:

oidc google 3

Now you can fill in your application name, your support email, your developer contact information and press SAVE AND CONTINUE:

oidc google 4

Do not add any scopes on the next page, and press SAVE AND CONTINUE:

oidc google 5

Do not add any test user on the next page, and press SAVE AND CONTINUE:

oidc google 6

Click on the top menu CREATE CREDENTIALS > OAuth client ID:

oidc google 7

Select Web application as Application type, and add http://localhost:8080/_renarde/security/oidc-success in the Authorised redirect URIs list, then press CREATE:

oidc google 8

Copy your Client ID and Client Secret:

oidc google 9

You can now configure your application.properties:

quarkus.oidc.provider=google
quarkus.oidc.client-id=<Client ID>
quarkus.oidc.credentials.secret=<Secret>

Microsoft

In order to set up OIDC for Microsoft you need to go to your Microsoft Azure Portal, and search for Azure Active Directory, then click on it:

oidc microsoft 1

Once there, on the left side under Manage, click on App registrations then click on New registration:

oidc microsoft 2

Fill in your application name, select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) to allow anyone to log in, and add a Web Redirect URI as http://localhost:8080/_renarde/security/oidc-success, then click on Register:

oidc microsoft 3

On that resulting page, copy the Client Id (under Application (client) ID, then click on Add a certificate or secret:

oidc microsoft 4

Now, under Client secrets (0), click on New client secret:

oidc microsoft 5

Click on Add in that dialog without changing anything:

oidc microsoft 6

On the resulting page, copy your Secret Value:

oidc microsoft 7

You can now configure your application.properties:

quarkus.oidc.provider=microsoft
quarkus.oidc.client-id=<Client ID>
quarkus.oidc.credentials.secret=<Secret>

Apple

In order to set up OIDC for Apple you need to create a developer account, and sign up for the 99€/year program, but you cannot test your application on localhost like most other OIDC providers: you will need to run it over https and make it publicly accessible, so for development purposes you may want to use a service such as https://ngrok.com.

Go to Create a new identifier and press +

oidc apple 1

Don’t touch anything, keep App IDs selected, and press Continue:

oidc apple 2

Don’t touch anything, keep App selected, and press Continue:

oidc apple 3

Enter a description and a Bundle ID (use your application package name):

oidc apple 4

Then scroll down to find the Sign in with Apple Capability, select it, and press Continue:

oidc apple 5

Write down your App ID Prefix, then press Register:

oidc apple 6

Back on the Identifiers page, press +:

oidc apple 7

Select Service IDs and press Continue:

oidc apple 8

Enter a description and Bundle ID (use your application package name), then press Continue:

oidc apple 9

Now press Register:

oidc apple 10

Back on the service list, click on your newly created service:

oidc apple 11

Enable Sign in with Apple and press Configure:

oidc apple 12

Add your domain and return URL (set to <host>/_renarde/security/oidc-success) and press Next:

oidc apple 13

Now press Done:

oidc apple 14

Now press Continue:

oidc apple 15

And now press Save:

oidc apple 16

Go to the Keys page on the left menu, and press +:

oidc apple 17

Fill in a key name, enable Sign in with Apple, and press Configure:

oidc apple 18

Select your Primary App ID and press Save:

oidc apple 19

Back on the key page, press Continue:

oidc apple 20

Now press Register:

oidc apple 21

Write down your Key ID, download your key and save it to your Quarkus application in src/main/resources/AuthKey_<KEYID>.p8:

oidc apple 22

You can now configure your application.properties:

quarkus.oidc.provider=apple
quarkus.oidc.client-id=<Bundle ID>
quarkus.oidc.credentials.jwt.key-file=AuthKey_<Key ID>.p8
quarkus.oidc.credentials.jwt.token-key-id=<Key ID>
quarkus.oidc.credentials.jwt.issuer=<App ID Prefix>
quarkus.oidc.credentials.jwt.subject=<Bundle ID}

Facebook

Facebook you will not be let you test your application on localhost like most other OIDC providers: you will need to run it over https and make it publicly accessible, so for development purposes you may want to use a service such as https://ngrok.com.

In order to set up OIDC for Facebook start by Creating an application, select None as an app type, and press Next:

oidc facebook 1

Now enter an application name, and contact email, and press Create app:

oidc facebook 2

On the app page, click Set up on the Facebook login product:

oidc facebook 3

Quick the Quickstarts page and click on Facebook login > Settings on the left menu:

oidc facebook 4

Enter your Redirect URIs (set to <host>/_renarde/security/oidc-success) and press Save changes:

oidc facebook 5

Now go to Settings > Basic on the left-hand menu, and write down your App ID and App secret:

oidc facebook 6

You can now configure your application.properties:

quarkus.oidc.provider=facebook
quarkus.oidc.client-id=<App ID>
quarkus.oidc.credentials.secret=<App secret>

Twitter

You can use Twitter for OIDC login, but at the moment, it restricts access to the user’s email, which means you will have to obtain it and verify it yourself.

In order to set up OIDC for Twitter start by Creating a project, enter a project name, and press Next:

oidc twitter 1

Enter a use case, and press Next:

oidc twitter 2

Enter a project description, and press Next:

oidc twitter 3

Now enter an application name, and press Next:

oidc twitter 4

Write down your keys, because they will not be displayed again, and press App Settings:

oidc twitter 5

Navigate down to the User authentication settings section and press Set up:

oidc twitter 6

Check the OAuth 2.0 check box:

oidc twitter 7

Select Web App as application type, then fill in your application details (use <host>/_renarde/security/twitter-success for the Callback URI).

Note
Twitter doesn’t require https usage in practice, but won’t accept your Website URL without it, so you can still use ngrok for it.

Now press Save:

oidc twitter 8

You can now copy your Client ID and Client Secret and press Done:

oidc twitter 9

You can now configure your application.properties:

quarkus.oidc.provider=twitter
quarkus.oidc.client-id=<Client ID>
quarkus.oidc.credentials.secret=<Client Secret>

Spotify

oidc spotify 1

Don’t forget to add http://localhost:8080 as a redirect URI for testing during development purposes. You should get a client id and secret generated once a Spotify application setup has been complete, for example:

oidc spotify 2

You can now configure your application.properties:

quarkus.oidc.provider=spotify
quarkus.oidc.client-id=<Client ID>
quarkus.oidc.credentials.secret=<Client Secret>