OpenID Connect – Username and PhenixID OneTouch

This authenticator is used for username-PhenixID OneTouch authorization in OpenID Connect scenarios.

Configuration Properties

Name Description Default value Mandatory
loginTemplate Template to use for user interface (username prompt). ot_login.template No
userNameParamName Name of the username request parameter username No
pipeID Id of pipe used to validate username.   Yes
servicename Service name (will be used in PhenixID OneTouch assignment) PhenixID No
clientTemplate Assignment template file onetouchhtml No
notify Send push notice to client true No
pollingTemplate Template file used to display polling page onetouchpoll.template No
allowedRP Array of relying parties (client_id:s) allowed to use this authorization endpoint   Yes
requireConsent Present consent screen (true/false) to end user. false No
consentTemplate Template file to use for consent oidcconsent No

Example configuration

LDAP user store is used in this example.

HTTP Authenticators

{
  "id" : "unot",
  "alias" : "unot",
  "name" : "OIDCUidOneTouch",
    "configuration" : {
    "pipeID" : "UserLookupWithLDAP",
    "allowedRP": [
				"myApp"
			]
  }
}

Pipe

{
  "id" : "UserLookupWithLDAP",
    "valves" : [ {
      "name" : "LDAPSearchValve",
      "config" : {
        "connection_ref" : "local_ldap",
        "base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
        "scope" : "SUB",
        "size_limit" : "0",
        "filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
        "attributes" : "commonName,uid,mail,mobile"
        }
      }, {
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
        }
      },
{
				"name": "PropertyAddValve",
				"config": {
					"name": "redirect_uri",
					"value": "{{request.redirect_uri}}"
				}
			},
			{
				"name": "PropertyAddDateTimeValve",
				"config": {
					"name": "time",
					"format": "n"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "tmpcode",
					"value": "{{item.time}}{{request.username}}{{request.client_id}}"
				}
			},
			{
			"name": "PropertyStringBase64EncoderValve",
			"config": {
				"source": "tmpcode",
				"dest": "code"
			}
		},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "state",
					"value": "{{request.state}}"
				}
			},
			{
				"name": "SessionClearAllAliasVavle",
				"config": {}
			},
			{
				"name": "SessionBindValve",
				"config": {
					"alias": "{{item.code}}"
				}
			},
			{
				"name": "PropertyKeepValve",
				"config": {
					"name": "redirect_uri,state,code"
				}
			}
]
}

 

Database Connection

{
  "id" : "local_ldap",
  "type" : "ldap",
  "description" : "Connection to local OpenDJ",
  "config" : {
    "host" : "localhost",
    "port" : "389",
    "bind_dn" : "cn=Directory Manager",
    "password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
    "use_ssl" : "false",
    "ssl_trust_all" : "false",
    "follow_referrals" : "false",
    "auto_reconnect" : "true",
    "use_keep_alive" : "true",
    "response_timeout_ms" : "30000",
    "pool_initial_size" : "1",
    "pool_max_size" : "2"
  }
}

Notes

Please be aware that this authenticator only is not sufficient to complete a full OpenIDConnect authentication scenario! This only describes the authorization endpoint part. To complete with token endpoint configuration, please view this document.