Open ID Integration with PicketLink

What is OpenID?

OpenID is an open decentralized identity system.

 

Introduction to OpenID

Good presentation: Understanding OpenID

 

OpenID Support in PicketLink

PicketLink supports Open ID.  It should be possible for users to implement OpenID Consumers (or Relying Parties) using the library. Even though implementing OpenID Providers is supported, I do not think there will be many usage of it.

 

Where to Download?

From the download page of PicketLink project (Link), download the following:

  • PicketLink Stack (Either Tomcat or JBoss AS)
  • OpenID Dependency Stack (will give you all the dependencies)

 

NOTE: If you are running in a container that is neither Tomcat nor JBoss, then you can download the PicketLink core library (LINK) plus the openid dependency stack. That should be sufficient to get you going.

 

How to Write an OpenID Consumer/RP?

  1. Download the openid-consumer.war archive from the download page of JBoss Identity project. Rename the war file to openid-consumer.war (remove the version info from the name).
  2. Deploy it in your web container.
  3. Access the consumer page:  (Eg:  http://localhost:8080/openid-consumer)
  4. You can then go ahead enter your openid url  (Example:   http://jbosstest.myopenid.com)
  5. Now you should be redirected to your openid provider where you will login (Eg: password is "jbosstest")
  6. After authentication at the openid provider, you should be redirected to your consumer.


How to Write an OpenID Provider?

  1. You can download the openid-provider.war from Link.  Rename it to openid-provider.war
  2. Deploy the war in your favorite web container.
  3. Configure the web.xml security as per instructions in JBoss AS or tomcat.
  4. In your consumer, you can enter something like http://localhost:8080/openid-provider/?user=anil
  5. You will be redirected to the provider where you can login with username/password.  The OpenID Provider application used FORM based authentication.

 

 

Servlets Provided:

  • OpenIDYadisServlet:  Can display an Yadis discovery endpoint.
  • OpenIDConsumerServlet:  used by the openid-consumer web application.
  • OpenIDProviderServlet:  used by the openid-provider web application.

 

 

References:

  1. PicketLinkhttp://jboss.org/picketlink
  2. Blog Entry

 

 

Show me code:

If you are interested in implementing stuff yourself with the PicketLink API,

 

Consumer Side:

 

import org.picketlink.identity.federation.api.openid.OpenIDManager;  
import org.picketlink.identity.federation.api.openid.OpenIDRequest;
import org.picketlink.identity.federation.api.openid.OpenIDProviderInformation;
import org.picketlink.identity.federation.api.openid.OpenIDProviderList;
import org.picketlink.identity.federation.api.openid.exceptions.OpenIDGeneralException; 
import org.picketlink.identity.federation.web.openid.HTTPOpenIDContext;
import org.picketlink.identity.federation.web.openid.HTTPProtocolAdaptor;


String userEntry = "some user entered http based open id";
OpenIDRequest openIDReq = new OpenIDRequest(userEntry);
OpenIDManager manager = new OpenIDManager(openIDReq);
//You can save the manager in either the session/servletcontext

OpenIDProviderList listOfProviders = manager.discoverProviders();
HTTPOpenIDContext httpOpenIDCtx = new HTTPOpenIDContext(req,resp, this.servletContext);
//returnURL - string representing URL where the consumer will receive
//  response from provider
httpOpenIDCtx.setReturnURL(returnURL); 
         
HTTPProtocolAdaptor adapter = new HTTPProtocolAdaptor(httpOpenIDCtx);
OpenIDProviderInformation providerInfo = manager.associate(adapter, listOfProviders);
manager.authenticate(adapter, providerInfo);


Future Considerations

The following are not considered yet as part of this OpenID work. We will take a look if there is demand from the users in the community.

  1. Simple Registration (SREG)
  2. Attribute Exchange.