OpenID Connect (OIDC) is an identity layer protocol on top of OAuth 2.0. This extension provides the capability of enabling SSO and SLO using OIDC for user applications via WSO2 Identity Server.
Follow the below steps to see how this extension works.
We will use two web applications named ‘pizza-shop’ and ‘coffee-shop’ with WSO2 Identity server.
Tomcat 8 will be used to deploy web applications and WSO2 IS will be used as the identity provider that enables SSO and SLO.
- Download Tomcat 8 and extract the zip file to your computer. The extracted directory will be your <Tomcat_HOME> directory.
- Download WSO2 IS and extract the zip file to your computer. The extracted directory will be your <IS_HOME> directory.
Checkout the project using below command
git clone https://github.com/Abilashini/tomcat-extension-openidsso.git
Here WSO2 Identity Server will act as the identity provider for service providers. We have to register web apps as service providers to give them the single sign on capability. Follow the below steps to register coffee-shop app and pizza-shop applications as service providers.
- Log into the management console of WSO2 IS.
- Click ‘Service Providers -> Add’ in the navigator.
- Enter 'coffee-shop' in the Service Provider Name field in the Add New Service Provider screen.
-
Click Register to open the Service Providers screen.
-
Click ‘Inbound Authentication Configuration -> OAuth/OpenID Connect Configuration’ and click ‘Configure’.
-
You can now start specifying the OIDC related configurations for the service provider.
enter http://localhost:8080/coffee-shop/openid under Callback Url.
- You will receive a client key and a client secret.
-
Open the <project_root>/samples/oidc-sample-apps/coffee-shop/src/main/webapp/META-INF/oidc-config.xml
- add client key under ‘client-id’ tag
- add client secret under ‘client-secret’ tag
-
Repeat the above steps to register a service provider for the pizza-shop application. Use the following values:
- Service Provider Name - pizza-shop
- Callback Url - http://localhost:8080/pizza-shop/openid
- Add the client key and client secret to the oidc-config.xml file in the <project_root>/samples/oidc-sample-apps/pizza-shop/src/main/webapp/META-INF directory.
Build it using maven
mvn clean install
- Open the sever.xml file (stored in the <Tomcat_HOME>/conf directory).
- Add the following under the Service tag:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/wso2/wso2carbon.jks" keystorePass="wso2carbon"/> - Add the following under the localhost container:
<Valve className= "org.wso2.carbon.tomcat.oidcsso.extension.oidc.OIDCSSOValve"/> - Open the context.xml file (stored in the <Tomcat_HOME>/conf directory).
- Add the following under the Context tag:
<Listener className="org.wso2.carbon.tomcat.oidcsso.extension.utils.OIDCConfigurationLoader"/> - Copy the <project_root>/modules/oidcsso/src/main/resources/wso2 folder to <Tomcat_HOME>/conf
- copy the <project_root>/modules/oidcsso/target/oidcsso-1.0.1-SNAPSHOT-fat.jar to <Tomcat_HOME>/lib
- Copy the <project_root>/samples/oidc-sample-apps/coffee-shop/target/coffee-shop.war and <project_root>/samples/oidc-sample-apps/pizza-shop/target/pizza-shop.war to <Tomcat_HOME>/webapps folder.
Start the tomcat server.
- Try accessing http://localhost:8080/coffee-shop/
-
Click on ‘Sign In’.
-
You will be re-directed to the Identity Server login page.
-
Login with your user credentials and click on ‘SIGN IN’.
-
Click Approve Always at the consent page.
-
Now you can see the received values of token response.
-
Now access to http://localhost:8080/pizza-shop/
-
Click on ‘Logout’ in the pizza-shop app. It will redirect to Identity Server.
-
Click on yes.
-
Go back to browser window of the coffee-shop app. You will see that the home page has been loaded which means coffee-shop app has been logged out.