Video: Google OpenID Connect for applications on WebSphere Liberty

The following transcript is for the "Google OpenID Connect for applications on WebSphere® Liberty" video, which demonstrates how to set up an OpenID Connect web single-sign-on on WebSphere Application Server Liberty with a Google OpenID Connect provider. This transcript is the video storyboard. Audio describes narration and captions. Onscreen Action describes the content that is shown in the video.

Video Google OpenID Connect for applications on WebSphere Liberty

Table 1. Title page. Show title and then a basic Google OpenID Connect scenario.
Scene Audio Onscreen Action
1 This video will show you how to set up OpenID Connect web single-sign-on on WebSphere Application Server Liberty with a Google OpenID connect provider. Show title OpenID Connect Quick Setup with Google.
2 Here you can see an "OpenID Connect" flow from an end user to an application on the Liberty server and the Google OpenID provider. When a user first attempts to access a Google OpenID Connect-protected application on a Liberty server, the user is redirected to the Google OpenID Provider. By using the Google account, the user is authenticated to access the protected web application on the Liberty server. In this video, we call the Liberty server, the "Relying party" or RP, and call "Google OpenID Connect provider" the OP. Show a basic Google OpenID Connect scenario, that includes a Relying Party (RP), Google OpenID Connect provider (OP), and an End-User.
Table 2. Demo registering Liberty in Google
Scene Audio Onscreen Action
3 To set up the Liberty RP with Google OP, first, we will register the Liberty server as an OpenID Connect client in the Google OP.

To do so, we will

  • Log in to the Google developers console and create a project
  • Then in the project, we will create a "Client ID" for the Liberty server
  • Write down the Client ID and Client Secret for when we set up Liberty

Let's try these steps now.

Show title Register Liberty in Google.
  1. On Google developer's console, create a project https://console.developers.google.com.
  2. In the project, create a Client ID from the Credential menu.
  3. Write down the following information for the Liberty setup
    • Client ID
    • Client Secret

For more information, please refer to this page https://developers.google.com/accounts/docs/OpenIDConnect.

4 In the Google Developers Console, create a new Project. In the Google Developers Console, we show a demo creating a new project.
  • Project name- WebSphereLibertyOpenIDConnect
  • Project ID- astute-tome-859
5 In the project that you just created, go to APIs & auth, then Credentials, and Create new Client ID. First, you will have to configure a consent screen. Show the Google Developers Console screen where the Create new Client ID is selected.
6 The consent screen is shown to users when they authenticate with the Google OpenID provider. Configure your consent screen as needed and continue creating your Client ID. For the application type, select Web application. Then, enter a redirect URI for the Liberty server. (pointing to https://rp-example.rtp.raleigh.ibm.com:7778/oidcclient/redirect/oidcRP on the screen) This redirect URI comes from the configuration for your Liberty server, which we will cover later. If you don't know the redirect URI for your server, you can leave the default value and update it later. Show the Google Developers Console screen where the Web Application is selected.
  • Authorized JavaScript Origins is set to https://www.example.com
  • Authorized Redirect URIs is set to https://www.example.com/oauth2callback
7 After the Client ID is created, you can see the Client ID and Client Secret. Make note of these values, because they are needed in the next step, configuring the Liberty server. Show the Google Developers Console screen where the Client ID and Client Secret values can be seen.
Table 3. Demo configuring WebSphere Liberty
Scene Audio Onscreen Action
8 To set up Liberty to work with a Google OP, you will need to:
  • Install Version 8.5.5.5 or later of Liberty
  • Install the OpenID Client feature
  • Create a Liberty server
  • Edit the server.xml configuration file with Google information
  • Install the application that will use the Google account for authentication
  • And finally, import the Google certificate into the keystore for SSL communication
Show the WebSphere Liberty setup overview.
  1. Install WebSphere Liberty 8.5.5.5 or latest beta > java -jar wlp-developers-runtime-8.5.5.5.jar
  2. Install OpenID Client feature (No download necessary) > bin/featureManager install openidConnectClient-1.0 --when-file-exists=ignore
  3. Create a Liberty server > server create GoogleRP
  4. Edit the server.xml with more configurations (Sample downloadable)
    • Required features
    • SSL keystore
    • OpenID Client
    • Application
  5. Install application that will use Google account for authentication > Copy application ear/war file under app directory.
  6. Import Google certificate into keystore for SSL communication.
9 First, we will install Version 8.5.5.5 of Liberty.

Then, we will install the OpenID Client feature, and create a server with the name GoogleRP.

You can find the server.xml configuration file under the wlp\usr\servers\GoogleRP\ directory.

Demo with command prompt that is being used to update server.xml file.
10 Here is the default server.xml file. Now, we will compare it to a server.xml file that has a Google configuration. Show a default server.xml file.
11 You can see that the necessary features are added. In the OpenID Connect Client configuration, the Client ID and Client Secret that we obtained from Google are added. You can obtain the other values by going to Google OP's discovery endpoint. (https://accounts/google.com/.well-known/openid-configuration is shown on the video). Then we add an SSL configuration and end-point configuration with the host name, HTTP port, and HTTPS port.

The configuration file also includes configuration for applications that rely on Google to perform authentication.

That's all the configuration we need for Liberty.

The Liberty RP uses this pattern https://<hostname>:<sslport>/oidcclient/redirect/<openidConnecClient id> to generate its own redirect URL. For example, the server that we configured has the following URI, https://rp-example.rtp.raleigh.ibm.com:7778/oidcclient/redirect/oidcRP. This is the URI that we entered earlier in the Google console.

Show a server.xml file that contains the Client ID and Client Secret that were obtained from Google. Also an SSL configuration and end-point configuration with the host name, HTTP port, and HTTPS port. The server.xml file also includes configuration for applications that rely on Google to perform authentication.
12 Next, we will install our application in the app directory.

We will start and stop the Liberty server to get the keystore in the server resources and make sure that the Liberty server keystore has a Google certificate for SSL communication.

Note: We are not going to show cert steps in this video and include instruction in reference page

Then we will start the Liberty server again.

Show title How to import Google certificate here.
Table 4. Demo testing the setup
Scene Audio Onscreen Action
13 Now we will test our configuration to see if it works.
  • In a browser, we will go to the application URL.
  • When prompted, we will enter our Google account information.
  • We will see the application redirecting to Google to perform authentication.
  • After the user is authenticated, the RP will show an application page to the user.
  • Let's try that now.
Demo testing the setup.
  1. Start the WebSphere Liberty server > server start oidcRP
  2. In a browser, point to the application login page on the Liberty Server > http://rp-example.rtp.raleigh.ibm.com:7777/testpage
  3. When prompted, enter the Google user ID and password > xxx.yyy@gmail.com / mypassword
  4. Application relies on Google to perform authentication
  5. User is successfully authenticated
14 In the browser, we will type in the URL of the application that is running on the Liberty server. Notice that we are prompted by the Google OP server because the Liberty relying party is delegating the authentication to the OP. We will enter the credentials for the Google account. After accepting the consent screen, we are successfully logged in to the application on the RP using the OP account. Demo with a browser login that shows a successful login into the application on the RP using the OP account.
Table 5. Conclusion. Show where to find more information about OpenID Connect that uses Google.
Scene Audio Onscreen Action
15 For more information, visit these online resources. Show information on documentation:
WebSphere Liberty download page
https://developer.ibm.com/wasdev/downloads/liberty-profile-using-non-eclipse-environments/
OpenID Connect feature installation
Server: https://developer.ibm.com/wasdev/downloads/#asset/features-com.ibm.websphere.appserver.openidConnectServer-1.0
Client: https://developer.ibm.com/wasdev/downloads/#asset/features-com.ibm.websphere.appserver.openidConnectClient-1.0
IBM® Knowledge Center - OpenID Connect main page
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/rwlp_using_oidc.html
All OpenID Connect attributes are discussed here
http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_config_oidc_rp.html?cp=SSEQTP_8.5.5%2F1-3-11-0-4-2-9-2
IBM DeveloperWorks OpenID Connect article
http://www.ibm.com/developerworks/websphere/library/techarticles/1502_odonnell/1502_odonnell.html
WebSphere Liberty OpenID Connect setup video on YouTube
http://youtu.be/fuajCS5bG4c
Google setup "OpenID Connect (OAuth 2.0 for Login)"
https://developers.google.com/accounts/docs/OpenIDConnect

For more information about OpenID Connect, see Using OpenID Connect.


Icon that indicates the type of topic Concept topic



Timestamp icon Last updated: Monday, 5 December 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-libcore-mp&topic=video_transcript_oidc_google
File name: video_transcript_oidc_google.html