Using Multiple OpenID Connect Providers

This section builds on the example in "Using AM As a Single OpenID Connect Provider" to give an example of using OpenID Connect with two identity providers.

The client registration for the AM provider is declared in the heap, and a second client registration defines Google as an alternative identity provider. The Nascar page helps the user to choose an identity provider.

Set Up Multiple OpenID Connect Providers
  1. Set up AM as the first OpenID Connect provider, as described in "Use AM As a Single OpenID Connect Provider".

  2. Set up Google as the second OpenID Connect identity provider, using the following hints:

    1. Go to https://console.cloud.google.com/apis/credentials.

    2. Create credentials for an OAuth 2.0 client ID with the following options:

      • Application type: Web application

      • Authorized redirect URI: http://openig.example.com:8080/home/id_token/callback

    3. Make a note of the ID and password for the Google identity provider.

Set Up IG for Multiple OpenID Connect Providers
  1. Add the following route to IG, to serve .css and other static resources for the sample application:

    $HOME/.openig/config/routes/static-resources.json
    %appdata%\OpenIG\config\routes\static-resources.json
    {
      "name" : "sampleapp_resources",
      "baseURI" : "http://app.example.com:8081",
      "condition": "${matches(request.uri.path,'^/css')}",
      "handler": "ReverseProxyHandler"
    }
  2. Add the following route to IG:

    $HOME/.openig/config/routes/07-openid-nascar.json
    %appdata%\OpenIG\config\routes\07-openid-nascar.json
    {
      "heap": [
        {
          "name": "SystemAndEnvSecretStore-1",
          "type": "SystemAndEnvSecretStore"
        },
        {
          "name": "openam",
          "type": "ClientRegistration",
          "config": {
            "clientId": "oidc_client",
            "clientSecretId": "oidc.secret.id",
            "issuer": {
              "name": "Issuer",
              "type": "Issuer",
              "config": {
                "wellKnownEndpoint": "http://openam.example.com:8088/openam/oauth2/.well-known/openid-configuration"
              }
            },
            "scopes": [
              "openid",
              "profile",
              "email"
            ],
            "secretsProvider": "SystemAndEnvSecretStore-1",
            "tokenEndpointAuthMethod": "client_secret_basic"
          }
        },
        {
          "name": "google",
          "type": "ClientRegistration",
          "config": {
            "clientId": "googleClientId",
            "clientSecretId": "google.secret.id",
            "issuer": {
              "name": "accounts.google.com",
              "type": "Issuer",
              "config": {
                "wellKnownEndpoint": "https://accounts.google.com/.well-known/openid-configuration"
              }
            },
            "scopes": [
              "openid",
              "profile"
            ],
            "secretsProvider": "SystemAndEnvSecretStore-1"
          }
        },
        {
          "name": "NascarPage",
          "type": "StaticResponseHandler",
          "config": {
            "status": 200,
            "headers": {
              "Content-Type": [ "text/html" ]
            },
            "entity": "<html><body><p><a href='/home/id_token/login?registration=oidc_client&issuer=Issuer&goto=${urlEncodeQueryParameterNameOrValue('http://openig.example.com:8080/home/id_token')}'>AM Login</a></p><p><a href='/home/id_token/login?registration=googleClientId&issuer=accounts.google.com&goto=${urlEncodeQueryParameterNameOrValue('http://openig.example.com:8080/home/id_token')}'>Google Login</a></p></body></html>"
          }
        }
      ],
      "name": "07-openid-nascar",
      "baseURI": "http://app.example.com:8081",
      "condition": "${matches(request.uri.path, '^/home/id_token')}",
      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
            {
              "type": "OAuth2ClientFilter",
              "config": {
                "clientEndpoint": "/home/id_token",
                "failureHandler": {
                  "type": "StaticResponseHandler",
                  "config": {
                    "comment": "Trivial failure handler for debugging only",
                    "status": 500,
                    "reason": "Error",
                    "headers": {
                      "Content-Type": [ "text/plain" ]
                    },
                    "entity": "${attributes.openid}"
                  }
                },
                "loginHandler": "NascarPage",
                "registrations": [ "openam", "google" ],
                "requireHttps": false,
                "cacheExpiration": "disabled"
              }
            }
          ],
          "handler": "ReverseProxyHandler"
        }
      }
    }
    

    Consider the differences with 07-openid.json:

    • The heap objects openam and google define two client registrations to authenticate IG to identity providers.

    • The heap object NascarPage is a StaticResponseHandler that provides links to the two client registrations.

    • The OAuth2ClientFilter uses a loginHandler that refers to NascarPage to allow users to choose from the two client registrations.

  3. In the route, replace both occurrences of googleClientId by the Google identity provider ID retrieved in "Set Up Multiple OpenID Connect Providers".

  4. Set environment variables for the identity providers' passwords:

    1. Set an environment variable for the password of the AM identity provider, oidc_client:

      $ export OIDC.SECRET.ID='cGFzc3dvcmQ='

    2. Set an environment variable for the password of the Google identity provider, using the password retrieved in "Set Up Multiple OpenID Connect Providers":

      $ export GOOGLE.SECRET.ID='base64-encoded-google-client-password'

    The passwords are retrieved by the default SystemAndEnvSecretStore, and must be base64-encoded.

Test the Setup
  1. Log out of AM.

  2. Go to http://openig.example.com:8080/home/id_token.

    The Nascar page offers the choice of identity provider.

  3. Select a provider, log in with your credentials, and then allow the application to access user information.

    For AM, use the following credentials: username george, password C0stanza. For the Google identity provider, use the Google credentials.

    The home page of the sample application is displayed.

Read a different version of :