This project is based on the following project:
- First of all, access your Gluu OxAuth admin console, e.g: https://gluu/oxauth/login
- Open the sub-menu OpenID Connect and choose the option "Clients" ![client_menu]
- Click on button "Add Client"
- Fill the following options:
- Client Name: some name that idenfies your client. This name will be used by the application
- Client Secret: the client secret. Can be any string and will be used by application configuration
- Subject type: choose pairwise. According to Gluu documentations, pairwise This provides a different sub value to each Client, so as not to enable Clients to correlate the End-User's activities without permission. Take a look at doc
- JWS alg Algorithm for signing the ID Token: choose HS256
- Authentication method for the Token Endpoint: choose client_secret_basic. In this case, we must use basic authentication to access the token endpoint
- Redirect Login URIs: The endpoint of our Spring Boot. Do not use IP Address like 127.0.0.1 or localhost, use your correct hostname. If your gluu server is running in another server (that was my case), make your hostname recognizable by the remote host (using DNS)
- Scopes : the scopes you are intending to provide to your clientes. Choose: email, openid, profile, user_name
- Response Types: This parameter determines the authorization processing flows, including the parameters returned from the endpoints, and these values are codes and combination of the values. Choose code, token, and id_token. Documentation
- Grant Types: the Oauth2 flow that you will use. Choose "authorization_code"
The connection between the spring boot application and the Gluu server will only work if the application recognizes the Gluu certificate. The most easily way to do this is add your Gluu' certificate to your JDK's trustcert keystore. The command to accomplish this is the next one:
sudo keytool -import -v -trustcacerts -alias server-alias -file <PATH to GLUUS CRT certificate>/gluu.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -keypass changeit -storepass changeit
Remember to adjust to the location where your Gluu service is located (). In my case I just exported the certificate using my web browser.
In Gluu, the redirect endpoint configured in the openid client must use SSL. To do this, add the following configurations to the application.properties file:
server.port: 8443
server.ssl.key-store: keystore.p12
server.ssl.key-store-password: changeit
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
This configuration make reference to a keystore file named "keystore.p12". This keystore is located on projects root and is generated by the following command:
keytool -genkey -alias tomcat \
-storetype PKCS12 -keyalg RSA -keysize 2048 \
-keystore keystore.p12 -validity 3650
If you have finished the previous steps, you can now adjust the rest of application.properties file. Modify the following entries to best fit your environment:
gluu.clientId=@!D3DF.A006.0B92.4FFA!0001!AE1E.730C!0008!1823.23DB.D6E7.78AE
gluu.clientSecret=aghYUY@2000
gluu.redirectUri=https://leonardos-macbook-pro.local:8443/login
gluu.accessTokenUri=https://gluu/oxauth/seam/resource/restv1/oxauth/token
gluu.userAuthorizationUri=https://gluu/oxauth/seam/resource/restv1/oxauth/authorize
gluu.userInfoUri=https://gluu/oxauth/seam/resource/restv1/oxauth/userinfo
- The clientId is generated when you save your openid client.
- The clientSecret and redirectUri are the same you used previously.
- The rest of the endpoints are specific to you gluu environment
mvn clean compile
mvn spring-boot:run
To run multiple profiles
mvn spring-boot:run -Drun.arguments="--spring.profiles.active=test2"
mvn spring-boot:run -Drun.arguments="--spring.profiles.active=test1"