OpenID Connect – Username and password
This authenticator is used for username-password authorization in OpenID Connect scenarios.
Configuration Properties
Example configuration
LDAP user store is used in this example.
HTTP Authenticators
{
"id" : "unpw",
"alias" : "unpw",
"name" : "OIDCPostUidAndPassword",
"configuration" : {
"pipeID" : "UserLookupAndAuthWithLDAP",
"allowedRP": [
"myApp"
]
}
}
Pipe
{
"id" : "UserLookupAndAuthWithLDAP",
"valves" : [ {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "local_ldap",
"base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
"attributes" : "commonName,uid,mail,mobile"
}
}, {
"name" : "LDAPBindValve",
"config" : {
"connection_ref" : "local_ldap",
"password_param_name" : "password"
}
} ,{
"name" : "SessionLoadValve",
"config" : {
"id" : "{{request.session_id}}"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "redirect_uri",
"value": "{{request.redirect_uri}}"
}
},
{
"name": "PropertyAddDateTimeValve",
"config": {
"name": "time",
"format": "n"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "tmpcode",
"value": "{{item.time}}{{request.username}}{{request.client_id}}"
}
},
{
"name": "PropertyStringBase64EncoderValve",
"config": {
"source": "tmpcode",
"dest": "code"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "state",
"value": "{{request.state}}"
}
},
{
"name": "SessionClearAllAliasVavle",
"config": {}
},
{
"name": "SessionBindValve",
"config": {
"alias": "{{item.code}}"
}
},
{
"name": "PropertyKeepValve",
"config": {
"name": "redirect_uri,state,code"
}
}
]
}
Database Connection
{
"id" : "local_ldap",
"type" : "ldap",
"description" : "Connection to local OpenDJ",
"config" : {
"host" : "localhost",
"port" : "389",
"bind_dn" : "cn=Directory Manager",
"password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
"use_ssl" : "false",
"ssl_trust_all" : "false",
"follow_referrals" : "false",
"auto_reconnect" : "true",
"use_keep_alive" : "true",
"response_timeout_ms" : "30000",
"pool_initial_size" : "1",
"pool_max_size" : "2"
}
}
Notes
Please be aware that this authenticator only is not sufficient to complete a full OpenIDConnect authentication scenario! This only describes the authorization endpoint part. To complete with token endpoint configuration, please view this document.