Logo

dev-resources.site

for different kinds of informations.

Writing Java library to build OAuth 2.0 Authorization Server / OpenID Connect Identity Provider

Published at
12/22/2022
Categories
oauth2
openidconnect
oidc
java
Author
inabajunmr
Categories
4 categories in total
oauth2
open
openidconnect
open
oidc
open
java
open
Author
10 person written this
inabajunmr
open
Writing Java library to build OAuth 2.0 Authorization Server / OpenID Connect Identity Provider

AzIdP4J

I'm writing AzIdP4J that the library to build Authorization Server and Identity Provider in Java.
The article talk about what I think while developing.

inabajunmr/azidp4j: Library for Java OAuth 2.0 Authorization Server & OpenID Connect Identity Provider

The library works as the following example.

// Convert HTTP Request query parameters to Map
var authorizationRequestQueryParameterMap =
        Map.of(
                "scope", "openid item:read",
                "response_type", "code",
                "client_id", "xyz-client",
                "redirect_uri", "https://client.example.com/callback",
                "state", "abc",
                "nonce", "xyz");
var authorizationRequest =
        new AuthorizationRequest(
                "inabajun", // authenticated user subject. Application needs to implements user authentication. If no user is authenticated, specify null.
                Instant.now().getEpochSecond(),
                Set.of("openid", "item:read"), // User consented scopes. Application needs to implements user consent.
                authorizationRequestQueryParameterMap);

// Authorization Request
var response = azIdP.authorize(authzReq);

// Library returns what should do next so implements application's behavior.
switch (response.next) {
    case redirect -> {
        // Redirect to response.redirect.redirectTo
    }
    case additionalPage -> {
        // Implements additional process like login or consent or...
    }
    case errorPage -> {
        // Error happend but can't redirect to redirct_uri
    }
}
Enter fullscreen mode Exit fullscreen mode

When you want Authorization server / Identity provider

When we want Authorization server / Identity provider, we can select the following patterns.

  • Develop them by yourself
  • Develop them with libraries
  • Use a service that works as an Authorization server / Identity provider in conjunction with your application
  • Using standalone Authorization server / Identity provider

In the case of scratch development, we need to write many sources. We need to understand the specifications. We need to continue learning about new specifications and trends...

I often feel to develop user experiences myself but delegating processes about protocols like OAuth 2.0 / OIDC to a library. So I'm developing the library to build OAuth 2.0 Authorization Server / OIDC Identity Provider in Java. (Because Spring Security OAuth was EOL already.)

Policies

I think the most important thing about libraries is the interface.
I decided on the following policies to consider interfaces.

  • Don't depend on a specific framework
  • Easy to issue Access token / ID token
  • Applications can implement user experiences by themselves
  • No datastore implementations

Don't depend on a specific framework

OAuth 2.0 / OpenID Connect depends on HTTP as a specification. So if a library can be used without any additional implementations, the library needs to accept HTTP requests directly.

But there are many Java web application frameworks and I want to implement a library that can be used for any framework.

So AzIdP4J has more abstract interfaces than accepting HTTP requests directly.

For example, token request / token response is expressed as following examples.

Spring based example implementation is like this.

@PostMapping(value = "token", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
public ResponseEntity<Map> tokenEndpoint(@RequestParam MultiValueMap<String, Object> body) {

    // client authentication by the application...
    // convert HTTP request query parameters to Map
    var request = new TokenRequest(authenticatedClientId, body.toSingleValueMap();
    // Token Request
    var response =
            azIdP.issueToken(request);

    // convert AzIdP4J resposne to HTTP response
    return ResponseEntity.status(response.status).body(response.body);
}
Enter fullscreen mode Exit fullscreen mode

On the other hand, AzIdP4J doesn't support functions within the protocol that be highly dependent on the framework. For example, I think many frameworks have functions to authenticate a client and authorize by bearer token so AzIdP4J doesn't support them.

Easy to issue Access token / ID token

I decided to make it easy to implement issuing each token by Authorization Code Flow. If supporting many functions makes interfaces complicated, AzIdP4J doesn't support them.

For example, if AzIdP4J supports the UserInfo endpoint, AzIdP4J needs to know Users but it makes interfaces complicated so I don't support it yet.

Applications can implement user experiences by themselves

Behavior after authorization request doesn't close in protocols. When the authorization request has prompt=login, the application needs to show a login page but how to provide authentication user experiences are out of the scope of these specifications. The application needs to provide the application-specific authentication flow. AzIdP4J wants not to affect user experiences like user authentication, consent, etc...

So AzIdP4J provides the following interface.

// authzReq has authenticated user subject but can expresses not authenticated.
var response = azIdP.authorize(authzReq);
// Library returns what should do next so implements application's behavior.
switch (response.next) {
    case redirect -> {
        // Redirect to response.redirect.redirectTo
    }
    case additionalPage -> {
        // Implements additional process like login or consent or...
    }
    case errorPage -> {
        // Error happend but can't redirect to redirct_uri
    }
Enter fullscreen mode Exit fullscreen mode

Authorization Request Document

No datastore implementations

I like ory/fosite interfaces so AzIdP4J imitates them. AzIdP4J needs to manage tokens so it provides only interfaces and an Application needs to implement them.

Things not to support

When I implement protocols, I become to wish to implement any specifications but I decided on things that don't support to control my motivation.

I decided first milestones.

  • Make AzIdP4J work at least
  • Writing documents with concrete examples

For the milestone, I removed the following things at the first milestone.

  • Doesn't support all of the core specification
    • For example, Request Object
    • Doesn't support specifications that I don't understand concrete demands.

It's difficult what specifications should be supported.

Make AzIdP4J work at least

First of all, I implemented accepting authorization requests and issuing access tokens and ID tokens via the token endpoint. I often test OICD Conformance Test against my implementation while implementing. This made progress visible so It was good to continue my motivation. The conformance test revealed some specifications that I can't understand correctly also.

Writing documents with concrete examples

I understood some of the specifications through conformance tests, writing sources and so one. But I can't understand whether the library's interfaces are good or bad. I want feedback about the library so I wrote documents with concrete examples. I'll be glad if you provide feedback.

AzIdP4J Documentation

Development process

For continuous checking of the policy "Don't depend on a specific framework", I implemented 2 types of sample identity frameworks.

The approach helped my decision on interfaces. For example, when I considered whether the application with the library can implement client authentication or not, multiple implementations help my consideration.

The library development with client implementations is better than just with test cases. Cases that I can't discover from the latter sometimes appeared.

Conclusion

I'm writing AzIdP4J that the library to build Authorization Server and Identity Provider in Java.
The article talked about what I thought while developing.

inabajunmr/azidp4j: Library for Java OAuth 2.0 Authorization Server & OpenID Connect Identity Provider

The library works as the following example.

// convert HTTP Request query parameters to Map
var authorizationRequestQueryParameterMap =
        Map.of(
                "scope", "openid item:read",
                "response_type", "code",
                "client_id", "xyz-client",
                "redirect_uri", "https://client.example.com/callback",
                "state", "abc",
                "nonce", "xyz");
var authorizationRequest =
        new AuthorizationRequest(
                "inabajun", // authenticated user subject. Application needs to implements user authentication. If no user is authenticated, specify null.
                Instant.now().getEpochSecond(),
                Set.of("openid", "item:read"), // User consented scopes. Application needs to implements user consent.
                authorizationRequestQueryParameterMap);
var response = azIdP.authorize(authzReq);
// Library returns what should do next so implements application's behavior.
switch (response.next) {
    case redirect -> {
        // Redirect to response.redirect.redirectTo
    }
    case additionalPage -> {
        // Implements additional process like login or consent or...
    }
    case errorPage -> {
        // Error happend but can't redirect to redirct_uri
    }
}
Enter fullscreen mode Exit fullscreen mode

I hope your feedbacks. Thank you.

oidc Article's
30 articles in total
Favicon
Defending OAuth2: Advanced Tactics to Block Replay Attacks
Favicon
Understanding the Differences Between OAuth2 and OpenID Connect (OIDC)
Favicon
Demystifying Social Logins: How OAuth2 Powers Seamless Authentication
Favicon
OAuth2 vs. OpenID Connect: Understanding the Differences
Favicon
GitHub Action security hardening with OpenID (OIDC) Connect - "Password-Less"
Favicon
OIDC vs SAML: A Comprehensive Technical Comparison
Favicon
OIDC Prompt 101: A simple guide for developers
Favicon
How to create a WeCom App to enable WeCom Login for the Web app
Favicon
No More Passwords! OIDC Terraform Module Makes GCP-GitHub Authentication a Breeze
Favicon
Learn OIDC - Part 2 - JWT
Favicon
Oidc node mongodb adapter in normal functions
Favicon
Learn OIDC - Part 1 - JWS
Favicon
OpenVPN + SSO via OAUTH2
Favicon
Kubernetes Cluster as an OpenID Connect Identity Provider
Favicon
How To Configure Audience In Keycloak
Favicon
Single Sign-On (SSO) with Zoho in Vue3
Favicon
Demystifying OpenID Connect (OIDC) - The Key to Secure and Seamless Authentication
Favicon
Adding single sign-on to a Next.js app using OIDC
Favicon
Implementing OpenID Connect (OIDC) Authentication with Nuxt 3
Favicon
Connect GitHub Actions to Azure using OpenID Connect
Favicon
OpenID Connect authentication with Apache Kafka 3.1
Favicon
Writing Java library to build OAuth 2.0 Authorization Server / OpenID Connect Identity Provider
Favicon
SSO Building blocks - SAML, OAuth 2.0 and OpenID Connect
Favicon
ASP.NET: AutenticaciΓ³n OIDC Multi Tenant - Parte 2
Favicon
Keycloak 19.0.1 and Setting the id_token_hint
Favicon
OIDC Forever, IAM Credentials Never!
Favicon
Fortifying federated access to AWS via OIDC
Favicon
Understanding OAuth and OIDC: Introduction
Favicon
OAuth 2.0 and OpenID Connect Explained: Building Secure Authentication Systems
Favicon
Securely authenticate to Google Cloud from GitHub

Featured ones: