OpenID Connect – Username and password

This authenticator is used for username-password authorization in OpenID Connect scenarios.

Configuration Properties

Name Description Default value Mandatory
loginTemplate Template to use for user interface (username and password prompt). login.template No
userNameParamName Name of the username request parameter username No
passworParamterName Name of the password request parameter. password No
pipeID Id of pipe used to validate username and password.   Yes
allowedRP Array of relying parties (client_id:s) allowed to use this authorization endpoint   Yes
requireConsent Present consent screen (true/false) to end user. false No
consentTemplate Template file to use for consent oidcconsent No

Example configuration

LDAP user store is used in this example.

HTTP Authenticators

{
  "id" : "unpw",
  "alias" : "unpw",
  "name" : "OIDCPostUidAndPassword",
    "configuration" : {
    "pipeID" : "UserLookupAndAuthWithLDAP",
    "allowedRP": [
				"myApp"
			]
  }
}

Pipe

{
  "id" : "UserLookupAndAuthWithLDAP",
    "valves" : [ {
      "name" : "LDAPSearchValve",
      "config" : {
        "connection_ref" : "local_ldap",
        "base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
        "scope" : "SUB",
        "size_limit" : "0",
        "filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
        "attributes" : "commonName,uid,mail,mobile"
        }
      }, {
        "name" : "LDAPBindValve",
        "config" : {
          "connection_ref" : "local_ldap",
          "password_param_name" : "password"
        }
      } ,{
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
        }
      },
{
				"name": "PropertyAddValve",
				"config": {
					"name": "redirect_uri",
					"value": "{{request.redirect_uri}}"
				}
			},
			{
				"name": "PropertyAddDateTimeValve",
				"config": {
					"name": "time",
					"format": "n"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "tmpcode",
					"value": "{{item.time}}{{request.username}}{{request.client_id}}"
				}
			},
			{
			"name": "PropertyStringBase64EncoderValve",
			"config": {
				"source": "tmpcode",
				"dest": "code"
			}
		},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "state",
					"value": "{{request.state}}"
				}
			},
			{
				"name": "SessionClearAllAliasVavle",
				"config": {}
			},
			{
				"name": "SessionBindValve",
				"config": {
					"alias": "{{item.code}}"
				}
			},
			{
				"name": "PropertyKeepValve",
				"config": {
					"name": "redirect_uri,state,code"
				}
			}
]
}

 

Database Connection

{
  "id" : "local_ldap",
  "type" : "ldap",
  "description" : "Connection to local OpenDJ",
  "config" : {
    "host" : "localhost",
    "port" : "389",
    "bind_dn" : "cn=Directory Manager",
    "password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
    "use_ssl" : "false",
    "ssl_trust_all" : "false",
    "follow_referrals" : "false",
    "auto_reconnect" : "true",
    "use_keep_alive" : "true",
    "response_timeout_ms" : "30000",
    "pool_initial_size" : "1",
    "pool_max_size" : "2"
  }
}

Notes

Please be aware that this authenticator only is not sufficient to complete a full OpenIDConnect authentication scenario! This only describes the authorization endpoint part. To complete with token endpoint configuration, please view this document.