How to setup the HTTP API for OpenID Connect UserInfo

Prerequisites

- PAS 2.7 installed

- The PhenixID OIDC token endpoint must have returned an access_token, which value is bound to the session as an alias.

- User information must have been stored in the session during authentication (using session* valves in the pipe). Consult the valves documentation for usage examples.

- Proxy (such as apache) in front of the PAS server

Proxy config

Add this rule to the your proxy server (example below is for Apache) and restart the proxy to make it effective.

<Location /api/authentication/userinfo>
SetEnvIfNoCase Authorization "(.{36}\z)" HTTP_AUTHORIZATION=$1
RequestHeader set access_token "%{HTTP_AUTHORIZATION}e"
RequestHeader unset Authorization
</Location>

Add local http-api module

- Login to configuration manager

- Click the Advanced tab

- Open Modules (click on the pen)

- Add this module (if module is already added, only add tenant and/or allowedOperation):

{
		"module": "com.phenixidentity~phenix-api-authenticate",
		"enabled": "true",
		"config": {
			"tenant": [
				{
					"id": "t1",
					"displayName": "Tenant1",
					"allowedOperation": [
						"userinfo"
					]
}
			]
		},
		"id": "authapi_module"
	}

- Click Stage Changes and Commit Changes

- Open NODE_GROUPS (click on the pen)

- Add id of the newly added module to module_refs. Example below. (You can skip this step if the module was already added)

{
		"name": "WIN-DHB3ICNDG4E",
		"description": "Default node (created automatically)",
		"config": {
			"module_refs": "authapi_module,sealapp,signapp_1,......"
		},
		"created": "2017-07-03T11:38:03.135Z",
		"id": "493afd0e-0fe8-40e4-b1a1-a24a5e2df6e2",
		"modified": "2017-07-03T14:39:43.257Z"
	}

- Click Stage Changes and Commit Changes

 

Add pipes to retrieve UserInfo

In this example, no client certificate is used. Please read the Valves documentation on how to configure a client certificate to the pipe.

- Click the Advanced tab

- Open Pipes (click on the pen)

- Add this pipe.

{
		"id": "userinfo",
		"valves": [
			{
				"name": "SessionResolveValve",
				"config": {
					"alias": "{{request.access_token}}",
					"require_session": "true",
					"require_auth_session": "false"
				}
			},
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "userinfo_props"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "name",
					"value": "{{session.name}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "given_name",
					"value": "{{session.givenName}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "family_name",
					"value": "{{session.sn}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "email",
					"value": "{{session.mail}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "phone_number",
					"value": "{{session.mobile}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "sub",
					"value": "{{session.user_id}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "employee_role",
					"value": "{{session.role}}"
				}
			}
		],
		"created": "2017-11-13T09:53:46.595Z"
	}

- Remove / add claims above to suite your environment

- Change claim-name - session attribute name mapping to suite your environment

- If additional SQL / LDAP lookups should be performed, please consult the valves documentation to add such lookups.

- Click Stage Changes and Commit Changes

Test

Use a HTTP rest client for testing and debugging. Follow the document Using PhenixID HTTP API for UserInfo to structure the HTTP requests properly.