Identity Cloud as an OpenID Connect provider
This example sets up ForgeRock Identity Cloud as an OpenID Connect identity provider, and Identity Gateway as a relying party.
For more information about Identity Gateway and OpenID Connect, refer to OpenID Connect.
Before you start, prepare Identity Cloud, IG, and the sample application as described in Example installation for this guide.
-
Set up Identity Cloud:
-
Log in to the Identity Cloud admin UI as an administrator.
-
Make sure you are managing the
alpharealm. If not, click the current realm at the top of the screen, and switch realm. -
Go to group Identities > Manage > settings_system_daydream Alpha realm - Users, and add a user with the following values:
-
Username:
demo -
First name:
demo -
Last name:
user -
Email Address:
demo@example.com -
Password:
Ch4ng3!t
-
-
Go to Applications > Custom Application > OIDC - OpenId Connect > Web and add a web application with the following values:
-
Name:
oidc_client -
Owners:
demo user -
Client Secret:
password -
Sign On > Sign-in URLs:
https://ig.example.com:8443/home/id_token/callback -
Sign On > Grant Types:
Authorization Code -
Sign On > Scopes:
openid,profile,email -
Show advanced settings > Authentication > Implied Consent:
On
-
For more information, refer to Identity Cloud’s Application management.
-
-
Set up Identity Gateway:
-
Set an environment variable for the
oidc_clientpassword, and then restart IG:$ export OIDC_SECRET_ID='cGFzc3dvcmQ='
-
Add the following route to IG to serve the sample application .css and other static resources:
$HOME/.openig/config/routes/00-static-resources.json
appdata\OpenIG\config\routes\00-static-resources.json
{ "name" : "00-static-resources", "baseURI" : "http://app.example.com:8081", "condition": "${find(request.uri.path,'^/css') or matchesWithRegex(request.uri.path, '^/.*\\\\.ico$') or matchesWithRegex(request.uri.path, '^/.*\\\\.gif$')}", "handler": "ReverseProxyHandler" } -
Add the following route to Identity Gateway, replacing the value for the property
amInstanceUrl:{ "name": "oidc-idc", "baseURI": "http://app.example.com:8081", "condition": "${find(request.uri.path, '^/home/id_token')}", "properties": { "amInstanceUrl": "https://myTenant.forgeblocks.com/am" }, "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AuthenticatedRegistrationHandler-1", "type": "Chain", "config": { "filters": [ { "name": "ClientSecretBasicAuthenticationFilter-1", "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "oidc_client", "clientSecretId": "oidc.secret.id", "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": "ForgeRockClientHandler" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "AuthorizationCodeOAuth2ClientFilter-1", "type": "AuthorizationCodeOAuth2ClientFilter", "config": { "clientEndpoint": "/home/id_token", "failureHandler": { "type": "StaticResponseHandler", "config": { "status": 500, "headers": { "Content-Type": [ "text/plain" ] }, "entity": "Error in OAuth 2.0 setup." } }, "registrations": [ { "name": "oauth2-client", "type": "ClientRegistration", "config": { "clientId": "oidc_client", "issuer": { "name": "Issuer", "type": "Issuer", "config": { "wellKnownEndpoint": "&{amInstanceUrl}/oauth2/realms/alpha/.well-known/openid-configuration" } }, "scopes": [ "openid", "profile", "email" ], "authenticatedRegistrationHandler": "AuthenticatedRegistrationHandler-1" } } ], "requireHttps": false, "cacheExpiration": "disabled" } } ], "handler": "ReverseProxyHandler" } } }Compared to
07-openid.jsonin AM as a single OpenID Connect provider, where Access Management is running locally, the ClientRegistrationwellKnownEndpointpoints to Identity Cloud.
-
-
Test the setup:
-
In your browser’s privacy or incognito mode, go to https://ig.example.com:8443/home/id_token.
The Identity Cloud login page is displayed.
-
Log in to Identity Cloud as user
demo, passwordCh4ng3!t. The home page of the sample application is displayed.
-