Video: Google OpenID Connect for applications on WebSphere Liberty
The following transcript is for the "Google OpenID Connect for applications on WebSphere® Liberty" video, which demonstrates how to set up an OpenID Connect web single-sign-on on WebSphere Application Server Liberty with a Google OpenID Connect provider. This transcript is the video storyboard. Audio describes narration and captions. Onscreen Action describes the content that is shown in the video.
Google OpenID Connect for
applications on WebSphere Liberty
Scene | Audio | Onscreen Action |
---|---|---|
1 | This video will show you how to set up OpenID Connect web single-sign-on on WebSphere Application Server Liberty with a Google OpenID connect provider. | Show title OpenID Connect Quick Setup with Google. |
2 | Here you can see an "OpenID Connect" flow from an end user to an application on the Liberty server and the Google OpenID provider. When a user first attempts to access a Google OpenID Connect-protected application on a Liberty server, the user is redirected to the Google OpenID Provider. By using the Google account, the user is authenticated to access the protected web application on the Liberty server. In this video, we call the Liberty server, the "Relying party" or RP, and call "Google OpenID Connect provider" the OP. | Show a basic Google OpenID Connect scenario, that includes a Relying Party (RP), Google OpenID Connect provider (OP), and an End-User. |
Scene | Audio | Onscreen Action |
---|---|---|
3 | To set up the Liberty RP with Google OP, first, we will register the Liberty
server as an OpenID Connect client in the Google OP. To do so, we will
Let's try these steps now. |
Show title Register Liberty in Google.
For more information, please refer to this page https://developers.google.com/accounts/docs/OpenIDConnect. |
4 | In the Google Developers Console, create a new Project. | In the Google Developers Console, we show a demo creating a new project.
|
5 | In the project that you just created, go to APIs & auth, then Credentials, and Create new Client ID. First, you will have to configure a consent screen. | Show the Google Developers Console screen where the Create new Client ID is selected. |
6 | The consent screen is shown to users when they authenticate with the Google OpenID provider. Configure your consent screen as needed and continue creating your Client ID. For the application type, select Web application. Then, enter a redirect URI for the Liberty server. (pointing to https://rp-example.rtp.raleigh.ibm.com:7778/oidcclient/redirect/oidcRP on the screen) This redirect URI comes from the configuration for your Liberty server, which we will cover later. If you don't know the redirect URI for your server, you can leave the default value and update it later. | Show the Google Developers Console screen where the Web
Application is selected.
|
7 | After the Client ID is created, you can see the Client ID and Client Secret. Make note of these values, because they are needed in the next step, configuring the Liberty server. | Show the Google Developers Console screen where the Client ID and Client Secret values can be seen. |
Scene | Audio | Onscreen Action |
---|---|---|
8 | To set up Liberty to work with a Google OP, you will need to:
|
Show the WebSphere Liberty setup overview.
|
9 | First, we will install Version 8.5.5.5 of Liberty. Then, we will install the OpenID Client feature, and create a server with the name GoogleRP. You can find the server.xml configuration file under the wlp\usr\servers\GoogleRP\ directory. |
Demo with command prompt that is being used to update server.xml file. |
10 | Here is the default server.xml file. Now, we will compare it to a server.xml file that has a Google configuration. | Show a default server.xml file. |
11 | You can see that the necessary features are added. In the OpenID Connect
Client configuration, the Client ID and Client Secret that we obtained from Google are added. You
can obtain the other values by going to Google OP's discovery endpoint.
(https://accounts/google.com/.well-known/openid-configuration is shown on the
video). Then we add an SSL configuration and end-point configuration with the host name, HTTP port,
and HTTPS port. The configuration file also includes configuration for applications that rely on Google to perform authentication. That's all the configuration we need for Liberty. The Liberty RP uses this pattern https://<hostname>:<sslport>/oidcclient/redirect/<openidConnecClient id> to generate its own redirect URL. For example, the server that we configured has the following URI, https://rp-example.rtp.raleigh.ibm.com:7778/oidcclient/redirect/oidcRP. This is the URI that we entered earlier in the Google console. |
Show a server.xml file that contains the Client ID and Client Secret that were obtained from Google. Also an SSL configuration and end-point configuration with the host name, HTTP port, and HTTPS port. The server.xml file also includes configuration for applications that rely on Google to perform authentication. |
12 | Next, we will install our application in the app directory. We will start and stop the Liberty server to get the keystore in the server resources and make sure that the Liberty server keystore has a Google certificate for SSL communication. Note: We are not going to
show cert steps in this video and include instruction in reference page
Then we will start the Liberty server again. |
Show title How to import Google certificate here. |
Scene | Audio | Onscreen Action |
---|---|---|
13 | Now we will test our configuration to see if it works.
|
Demo testing the setup.
|
14 | In the browser, we will type in the URL of the application that is running on the Liberty server. Notice that we are prompted by the Google OP server because the Liberty relying party is delegating the authentication to the OP. We will enter the credentials for the Google account. After accepting the consent screen, we are successfully logged in to the application on the RP using the OP account. | Demo with a browser login that shows a successful login into the application on the RP using the OP account. |
Scene | Audio | Onscreen Action |
---|---|---|
15 | For more information, visit these online resources. | Show information on documentation:
|
For more information about OpenID Connect, see Using OpenID Connect.