Cloud Access Manager 8.1.4 - How To Develop OpenID Connect Apps

OpenID Connect discovery

The optional OpenID Connect specification (available online at http://openid.net/specs/openid-connect-discovery-1_0.html) defines how Relying Parties can automatically query the End-User's OpenID Provider for information needed to interact with it, including its OAuth 2.0 endpoint locations. Cloud Access Manager does not provide this facility.

When would you use OAuth v2.0 and OpenID Connect?

The purpose of the OAuth v2.0 framework is to allow client applications to gain authorization to access information held on a resource server with the permission of the owner, without the client needing to know the owner’s password. The key difference between it and other federation protocols such as SAML or WS-Federation is that the request for access can be limited to a single resource or a group of resources (rather than an entire web application) and the resource owner is invited to approve the access request.

While OAuth v2.0 can be used to provide the framework for authentication and authorization to any web application, it has become the de facto standard for mobile apps which communicate with an on-line resource server.

In summary, there are three main use cases in which you would consider using OAuth v2.0 or OpenID Connect to provide authentication and authorization services from Cloud Access Manager:

  • If your organization has purchased software, or subscribes to an online service, which supports use of OAuth v2.0 or OpenID Connect.
  • If your organization is developing a web-based application for your enterprise where users will interface with the application using a mobile app, then you may consider OAuth v2.0 and OpenID Connect instead of SAML.
  • If your organization is developing a web-based application for your enterprise whereby other systems require access to resources hosted by your new application.

Cloud Access Manager supports both OAuth v2.0 and OpenID Connect applications through the same back-end SSO method.

Using the OpenID Connect Flow Test Tool

The OpenID Connect Flow Test Tool allows you to invoke Cloud Access Manager OpenID Connect calls, just as an application would. This can help your understanding of Cloud Access Manager’s implementation of OpenID Connect and be used as a diagnostic tool when developing your own application.

To get started with the OpenID Connect Flow Test Tool, follow the steps below. Ensure that you have already set up a front-end authenticator in Cloud Access Manager to authenticate a test user:

Client machine
  1. The OpenID Connect Flow Test tool can run on any machine with .NET Framework 4.5 installed which has network access to your Cloud Access Manager proxy.
  2. From your Cloud Access Manager installation media, open the Tools folder and extract the OIDCFlowTestTool.zip to a suitable location on a machine.
  3. Run OIDCFlowTestTool.exe in the extracted folder. This will open a Windows application.
  4. In the CAM Proxy Hostname field, supply the hostname of your Cloud Access Manager proxy.
Cloud Access Manager administration
  1. Log in to Cloud Access Manager as an administrator.
  2. Under Applications, click Add New.
  3. Click Configure Manually, click Next.
  4. Choose Using OpenID Connect / OAuth 2.0, click Next.
  5. Select the required Client Type, the tool can be configured as public or confidential.
Exchanging set up information between Cloud Access Manager and client machine
  1. Copy the Redirect URI from the test tool to the Redirect URI input field of the application configuration in Cloud Access Manager.
  2. Copy the Client ID from the application configuration in Cloud Access Manager to the Client ID field of the test tool.
  3. In the test tool, click the Details tab.
  4. Copy the Shared Secret value from the application configuration in Cloud Access Manager to the Shared Secret field in the test tool.
Cloud Access Manager administration
  1. Click Next.
  2. Choose Do not proxy this application, click Next.
  3. Select the roles which are permitted to use this application and click Allow Role Access, click Next.
  4. Type in a name for your application, click Next.
  5. In the URL field, type https://cloudaccessmanager.proxy.com/myapp where cloudaccessmanager.proxy.com is the hostname of your proxy, and myapp is a name of your choice. The URL is not important for this exercise, since no users will be launching the application from the portal, but the wizard requires that you enter a valid URL in that field.
  6. Click Finish.
Client machine
  1. Click the Flows tab.
  2. To invoke an Implicit Flow, click the GET Token (Implicit flow) button.

    NOTE: If your application was set up as a confidential client, then a request for Implicit Flow will be rejected with an authorization error response.

  3. To invoke Authorization Code Flow, check the Authenticate box (this causes the client to authenticate to the token endpoint), then click the 1. GET AZCode (AuthZ Code flow) button. To obtain an access token, click 2. POST AZCode for Token (AuthZ Code flow).
  4. Use the Show Id Token, Show Access Token, and GET UserInfo buttons to view information returned from Cloud Access Manager.

Building your OpenID Connect client

There are libraries available which can help you to build an OAuth or OpenID Connect client.

NOTE: The following links are for information only, and One Identity does not assume any responsibility for their content.

Includes .NET OAuth2 and OpenID Connect client and helpers for parsing token and authorize responses, Epoch Time helpers, and extensions methods for HttpClient.

Open source (Apache 2.0) implementation of JWT and the JOSE specification suite, written in Java.

Related Documents