This repository contains an example of using OpenID Connect based authentication in a reverse proxy for protecting web applications.
Use of proxy may help implementing "single logout", if any of following statements is true:
- OP may initiate logout, but OP does not have network access to application servers
- login state is required to be shared on multiple application servers without prompts from OP
Use of proxy may help migration to OpenID Connect, if any following statements is true:
- applications are running inside Java EE container, which provides minimal or no OpenID Connect support
This code has been written to study OpenID Connect protocol. This should not be used in production
- identity-gateway - OpenID Connect relying party (RP)
- liberty-openid - Sample OpenID Connect resource server (RS) for testing purposes
- test-provider - Sample OpenID Connect provider (OP) for testing purposes
Authentication flow is used when token reference cookie is not present, is not valid or when refresh token has been expired (or revoked).
- Client requests resource from RP
- RP redirects client to OP for authentication. A state is created and stored in a cookie. A state reference and a callback resource address are passed as request parameters in redirect address
- Client requests authentication from OP. The state reference is stored
- OP responses with a login form containing the state reference
- Client posts login form contents to OP
- OP redirects client to the callback address. The state reference and a authentication code are passed as requests parameters
- Client requests callback resource from RP with provided parameters and the state cookie
- RP requests token from OP using the authentication code
- OP returns a token set containing an id token, an access token and a refresh token
- RP requests public keys from OP
- OP returns public keys as JWKS
- RP redirects client to location stored in the state. Tokens are stored on RP and a reference to tokens is stored in a cookie.
- Client requests resource from RP with the token reference cookie
- RP requests resource from RS with the referenced access token
- RS requests public keys from OP
- OP returns public keys as JWKS
- RS returns response to RP
- RP returns response to Client
Token refresh flow is used when access token is about to expire or has been expired (or revoked). This flow is started when Client provides refresh cookie. Client may be redirected to authentication flow, if an error occurs during the flow.
- Client requests resource from RP with token reference cookie
- RP requests token from OP with the refresh token stored earlier on RP
- OP returns a token set containing an id token, an access token and a refresh token
- RP requests public keys from OP
- OP returns public keys as JWKS
- RP requests resource from RS with the access token
- RS requests public keys from OP
- OP returns public keys as JWKS
- RS returns response to RP
- RP returns response to Client
