OAuth Authentication

Exclusive offer: get 50% off this eBook here
Open Source Identity Management Patterns and Practices Using OpenAM 10.x

Open Source Identity Management Patterns and Practices Using OpenAM 10.x — Save 50%

An intuitive guide to learning OpenAM access management capabilities for web and application servers with this book and ebook

$14.99    $7.50
by Waylon Kenning | September 2013 | Open Source Oracle

Open Source Identity Management Patterns and Practices Using OpenAM 10.x shows how authentication and authorization can be managed using OpenAM, guiding you through the process of installing and configuring the application in a series of prototypes. Key concepts and technologies are covered giving you broad knowledge of the different areas of Identity Management, as well as specific examples of using Identity Management technologies such as OAuth and OATH.

This article by, Waylon Kenning, the author of Open Source Identity Management Patterns and Practices Using OpenAM 10.x, explains how to:

  • Use Facebook as OAuth provider
  • Configure OAuth module

(For more resources related to this topic, see here.)

Understanding OAuth

OAuth has the concept of Providers and Clients. An OAuth Provider is like a SAML Identity Provider, and is the place where the user enters their authentication credentials. Typical OAuth Providers include Facebook and Google.

OAuth Clients are resources that want to protect resources, such as a SAML Service Provider. If you have ever been to a site that has asked you to log in using your Twitter or LinkedIn credentials then odds are that site was using OAuth.

The advantage of OAuth is that a user’s authentication credentials (username and password, for instance) is never passed to the OAuth Client, just a range of tokens that the Client requested from the Provider and which are authorized by the user.

OpenAM can act as both an OAuth Provider and an OAuth Client. This chapter will focus on using OpenAM as an OAuth Client and using Facebook as an OAuth Provider.

Preparing Facebook as an OAuth Provider

Head to https://developers.facebook.com/apps/ and create a Facebook App. Once this is created, your Facebook App will have an App ID and an App Secret. We’ll use these later on when configuring OpenAM.

Facebook won’t let a redirect to a URL (such as our OpenAM installation) without being aware of the URL. The steps for preparing Facebook as an OAuth provider are as follows:

  1. Under the settings for the App in the section Website with Facebook Login we need to add a Site URL. This is a special OpenAM OAuth Proxy URL, which for me was http://openam.kenning.co.nz:8080/openam/oauth2c/OAuthProxy.jsp as shown in the following screenshot:

  2. Click on the Save Changes button on Facebook.

    My OpenAM installation for this chapter was directly available on the Internet just in case Facebook checked for a valid URL destination.

Configuring an OAuth authentication module

OpenAM has the concept of authentication modules, which support different ways of authentication, such as OAuth, or against its Data Store, or LDAP or a Web Service. We need to create a new Module Instance for our Facebook OAuth Client.

  1. Log in to OpenAM console. Click on the Access Control tab, and click on the link to the realm / (Top Level Realm).
  2. Click on the Authentication tab and scroll down to the Module Instances section. Click on the New button.
  3. Enter a name for the New Module Instance and select OAuth 2.0 as the Type and click on the OK button. I used the name Facebook. You will then see a screen as shown:

  4. For Client Id, use the App ID value provided from Facebook. For the Client Secret use the App Secret value provided from Facebook as shown in the preceding screenshot.
  5. Since we’re using Facebook as our OAuth Provider, we can leave the Authentication Endpoint URL, Access Token Endpoint URL, and User Profile Service URL values as their default values.
  6. Scope defines the permissions we’re requesting from the OAuth Provider on behalf of the user. These values will be provided by the OAuth Provider, but we’ll use the default values of email and read_stream as shown in the preceding screenshot.
  7. Proxy URL is the URL we copied to Facebook as the Site URL. This needs to be replaced with your OpenAM installation value.

  8. The Account Mapper Configuration allows you to map values from your OAuth Provider to values that OpenAM recognizes. For instance, Facebook calls emails email while OpenAM references values from the directory it is connected to, such as mail in the case of the embedded LDAP server. This goes the same for the Attribute Mapper Configuration. We’ll leave all these sections as their defaults as shown in the preceding screenshot.

  9. OpenAM allows attributes passed from the OAuth Provider to be saved to the OpenAM session. We’ll make sure this option is Enabled as shown in the preceding screenshot.
  10. When a user authenticates against an OAuth Provider, they are likely to not already have an account with OpenAM. If they do not have a valid OpenAM account then they will not be allowed access to resources protected by OpenAM. We should make sure that the option to Create account if it does not exist is Enabled as shown in the preceding screenshot.

    Forcing authentication against particular authentication modules

    In the writing of this book I disabled the Create account if it does not exist option while I was testing. Then when I tried to log into OpenAM I was redirected to Facebook, which then passed my credentials to OpenAM. Since there was no valid OpenAM account that matched my Facebook credentials I could not log in. For your own testing, it would be recommended to use http://openam.kenning.co.nz:8080/openam/UI/Login?module=Facebook rather than changing your authentication chain.

    Thankfully, you can force a login using a particular authentication module by adjusting the login URL. By using http://openam.kenning.co.nz:8080/openam/UI/Login?module=DataStore, I was able to use the Data Store rather than OAuth authentication module, and log in successfully.

  11. For our newly created accounts we can choose to prompt the user to create a password and enter an activation code. For our prototype we’ll leave this option as Disabled.

    The flip side to Single Sign On is Single Log Out. Your OAuth Provider should provide a logout URL which we could possibly call to log out a user when they log out of OpenAM. The options we have when a user logs out of OpenAM is to either not log them out of the OAuth Provider, to log them out of the OAuth Provider, or to ask the user.

    If we had set earlier that we wanted to enforce password and activation token policies, then we would need to enter details of an SMTP server, which would be used to email the activation token to the user. For the purposes of our prototype we’ll leave all these options blank.

  12. Click on the Save button.

Summary

This article served as a quick primer on what OAuth is and how to achieve it with OpenAM. It covered the concept of using Facebook as an OAuth provider and configuring an OAuth module. It focused on using OpenAM as an OAuth Client and using Facebook as an OAuth Provider. This would really help when we might want to allow authentication against Facebook or Google.

Resources for Article:


Further resources on this subject:


Open Source Identity Management Patterns and Practices Using OpenAM 10.x An intuitive guide to learning OpenAM access management capabilities for web and application servers with this book and ebook
Published: August 2013
eBook Price: $14.99
Book Price: $34.99
See more
Select your format and quantity:

About the Author :


Waylon Kenning

Waylon Kenning is an Enterprise and Solutions Architect for a large Australasian utility company with an interest in Identity Management. He currently evaluates technologies and their applicability within large corporate organizations.

He has worked on one of the largest identity management projects in New Zealand based on Sun Access Manager, which evolved into OpenAM. He is currently writing a book on Practical Enterprise Architecture.

Books From Packt


OpenAM
OpenAM

Oracle Identity and Access Manager 11g for Administrators
Oracle Identity and Access Manager 11g for Administrators

Microsoft Windows Identity Foundation Cookbook
Microsoft Windows Identity Foundation Cookbook

Oracle Fusion Middleware Patterns
Oracle Fusion Middleware Patterns

Oracle Service Bus 11g Development Cookbook
Oracle Service Bus 11g Development Cookbook

Oracle Data Guard 11gR2 Administration Beginner's Guide
Oracle Data Guard 11gR2 Administration Beginner's Guide

 Oracle SOA Suite 11g Performance Tuning Cookbook
Oracle SOA Suite 11g Performance Tuning Cookbook

Oracle ADF 11gR2 Development Beginner's Guide
Oracle ADF 11gR2 Development Beginner's Guide


No votes yet

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Z
K
w
1
A
m
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software