Lengthy gone are the times while you needed to create your individual consumer account administration, authentication, and authorization in your internet delivered software program. As an alternative, modern purposes leverage these capabilities (Id and Entry Administration or IAM for brief) from an exterior supplier. As a full-featured Java utility runtime, Open Liberty has nice choices for externally offered IAM.

Open Liberty helps IAM mainstays, reminiscent of Social Media Login, SAML Net Single Signal-on, and OpenID Join Shopper. In Bruce Tiffany’s weblog put up “Securing Open Liberty apps and micro-services with MicroProfile JWT and Social Media login,” you may have a strong instance on learn how to use the Open Liberty Social Media Login function to authenticate customers utilizing their present social media credentials. On this weblog put up, let’s check out one other instance on learn how to configure the Liberty social login function as an OpenID Join shopper to safe Java purposes with Azure Energetic Listing.

The pattern code used on this weblog is hosted on this GitHub repository. Be at liberty to test it out and comply with its consumer information to run the Java EE demo utility earlier than or after studying this weblog.

Arrange Azure Energetic Listing

Azure Energetic Listing (Azure AD) implements OpenID Join (OIDC), an authentication protocol constructed on OAuth 2.0, which helps you to securely register a consumer from Azure AD to an utility. Earlier than going into the pattern code, it’s essential to first arrange an Azure AD tenant and create an utility registration with a redirect URL and shopper secret. The tenant ID, utility (shopper) ID, and shopper secret are utilized by Open Liberty to barter with Azure AD to finish an OAuth 2.Zero authorization code move.

Discover ways to arrange Azure AD from these articles:

Configure social login as OpenID Join shopper

The next pattern code exhibits how an utility operating on an Open Liberty server is configured with the socialLogin-1.0 function as an OpenID Join shopper to authenticate a consumer from an OpenID Join Supplier, with Azure AD because the designated safety supplier.

The related server configuration in server.xml:

Open Liberty code snippet

Above code sample in GitHub repository

The oidcLogin aspect has numerous obtainable configuration choices in Open Liberty. With Azure AD, most of them will not be required and you should utilize solely the few choices used within the code instance. It is because Azure AD helps discovery endpoints as is proven within the code instance. Discovery endpoints enable for many OpenID Join configuration to be routinely retrieved by the shopper, considerably simplifying configuration. As well as, Azure AD cases comply with a identified sample for discovery endpoint URLs, permitting us to parameterize the URL utilizing a tenant ID. Along with that, a shopper ID and secret are wanted. RS256 have to be used because the signature algorithm with Azure AD.

The userNameAttribute parameter is used to map a token worth from Azure AD to a singular topic id in Liberty. There are a selection of Azure AD token values you should utilize which might be listed here. Do be cautious, because the required tokens that exist for v1.Zero and v2.Zero differ (with v2.Zero not supporting some v1.Zero tokens). Both preferred_username or oid might be safely used, though most often you’ll most likely wish to use the preferred_username.

Utilizing Azure AD permits your utility to make use of a certificates with a root CA signed by Microsoft’s public certificates. This certificates is added to the default cacerts of the JVM. Trusting the JVM default cacerts ensures a profitable SSL handshake between the OIDC Shopper and Azure AD (i.e., setting the defaultSSLConfig trustDefaultCerts worth to true).

In our case, we assign all customers authenticated by way of Azure AD the customers position. Extra complicated position mappings are doable with Liberty if desired.

Use OpenID Hook up with authenticate customers

The pattern utility exposes a JSF shopper, which defines a Java EE safety constraint that solely customers with the position customers can entry.

The related configuration in internet.xml:

Open Liberty code snippet

Above code sample in GitHub repository


OpenID Connect sign-in and token acquisition flow

Image 1: OpenID Join sign-in and token acquisition move from Microsoft identity platform and OpenID Connect protocol

That is normal Java EE safety. When an unauthenticated consumer makes an attempt to entry the JSF shopper, they’re redirected to Microsoft to offer their Azure AD credentials. Upon success, the browser will get redirected again to the shopper with an authorization code. The shopper then contacts Microsoft once more with the authorization code, shopper ID and secret to acquire an ID token and entry token, and eventually create an authenticated consumer on the shopper, which then will get entry to the JSF shopper.

To get authenticated consumer data, use the @Inject annotation to acquire a reference to the javax.safety.enterprise.SecurityContext and name its technique getCallerPrincipal():

Open Liberty code snippet

Above code sample in GitHub repository

Safe inside REST calls utilizing JWT RBAC

The Cafe bean is determined by CafeResource, a REST service constructed with JAX-RS, to create, learn, replace and delete coffees. The CafeResource implements RBAC (role-based entry management) utilizing MicroProfile JWT to confirm the teams declare of the token.

Open Liberty code snippet

Above code sample in GitHub repository

The admin.group.id is injected into the appliance utilizing MicroProfile Config on the utility startup utilizing the ConfigProperty annotation. MicroProfile JWT lets you @Inject the JWT (JSON Net Token). The CafeResource REST endpoint receives the JWT with the preferred_username and teams claims from the ID Token issued by Azure AD within the OpenID Join authorization workflow. The ID Token might be retrieved utilizing the com.ibm.websphere.safety.social.UserProfileManager and com.ibm.websphere.safety.social.UserProfile APIs.

Right here is the related configuration snippet in server.xml:

Open Liberty code snippet

Above code sample in GitHub repository

Word, the teams declare is just not propagated by default and requires extra Azure AD configuration. So as to add a teams declare into the ID token, you’ll need to create a bunch with kind as ‘Security’ and add a number of members to it in Azure AD. Within the utility registration created as a part of Azure AD configuration, additionally, you will must: discover ‘Token configuration’ > choose ‘Add groups claim’ > choose ‘Security groups’ as group sorts to incorporate in ID token > develop ‘ID’ and choose ‘Group ID’ in ‘Customize token properties by type’ part. Study extra particulars from these articles:


On this weblog entry, we demonstrated learn how to successfully safe an Open Liberty utility utilizing OpenID Join and Azure Energetic Listing. This write-up and the underlying official Azure sample also needs to simply work for WebSphere Liberty. This effort is a part of a broader collaboration between Microsoft and IBM to offer higher steering and instruments for builders utilizing Java EE, Jakarta EE (Java EE has been transferred to the Eclipse Basis as Jakarta EE below vendor-neutral open supply governance), and MicroProfile (MicroProfile is a set of open supply specs that construct upon Java EE applied sciences and goal the microservices area) on Azure.

We wish to hear from you as to what sort of instruments and steering you want. If doable, please fill out a five-minute survey on this matter and share your invaluable suggestions—particularly if you’re considering working carefully with us (at no cost) on a cloud migration case.


Leave a Reply

Your email address will not be published. Required fields are marked *