The OAuth 2.0 authorization framework enables a third-party client application to obtain limited access to resources or services. OAuth 2.0 defines mechanisms to acquire and use tokens to access protected resources, but does not define standard methods to provide identity information.
OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. With OpenID Connect, the client application can verify the identity, and obtain basic profile information about the end-user.
You can set up an authentication flow using OAuth 2.0 and OpenID Connect in My webMethods Server, and log in to My webMethods with credentials from an external identity provider, for example Google, Twitter, or Salesforce.
Submitted by: Meglena Atanasova, Software AG, November 2016
Table of contents:
- How it works
- Configuration overview
- Registering with provider
- Configuring OAuth2 Authentication
- Inporting an OAuth2 Authentication
- Customizing the My webMethods Login Page
- Creating a custom My webMethods login page
- Adding a custom login rule
- Login Page Examples
- Creating a custom service that registers My webMethods Server users
- Configure My webMethods Server to use a custom service for registering users
How it works
With an OAuth2 authentication flow, users can login to My webMethods Server using accounts from Google, Twitter, Salesforce, or another identity provider that supports the OAuth 2.0/Open ID Connect protocols and exposes a discovery service. An administrator can control what server resources, or layered products such users can access, based on user roles. In turn, roles can be configured to accept claims, provided by the identity provider to determine user membership dynamically at login. You can configure multiple OAuth2 services for different identity providers in My webMethods Server.
Configuration overview
- Register My webMethods Server with the authorization server/identity provider.
- Configure a new OAuth2 service in My webMethods Server.
- Customize the My webMethods login page, or create a custom login page that redirects to the identity provider.
- Create a custom login rule to provide the new login options to My webMethods users.
Optionally, you can create a service that registers internal My webMethods Server users for the external user accounts.
Registering with provider
Register My webMethods as a client application, following the instructions in the provider documentation.
You will need the following information from the registration to setup the OAuth2 service in My webMethods Server later:
- The URL of the discovery service of your OpenID Provider
- The OAuth 2.0 Client Identifier for My webMethods Server
- The OAuth 2.0 Client Secret for My webMethods Server
- The redirection URLs, preregistered at the OpenID Provider
- The access claim that allows registering users in My webMethods Server
Configuring OAuth2 Authentication
As sysadmin:
- Navigate to Folders > My webMethods Applications > Fabric Tasks > Administration > My webMethods > OAuth2 Administration.
- On the Add OAuth Configuration tab, enter the details from you registration with the OAuth/OpenID Connect provider.
- In the Access Claim field, enter the access claim that allows registering system users in My webMethods Server. For more information about available claims, see the provider documentation.
- Submit your changes, open the newly created Oauth2 configuration and copy the Auth URL to create a custom login control later.
Inporting an OAuth2 Authentication
With an xmlImport.xml file:
Alternatively, you can create an xmlImport file following the example below and deploy it to My webMethods Server:
<CONFIG>
<CONTEXT alias="oauth.folder.portlets.admin">
<wm_xt_oauthsvc___oauthadminportlet accessClaimStr=“your_access_claim" attributeClaimsStr=“your_attribute_claim" clientIdStr=“your_client_id" clientSecretStr=“your_client_secret"discoveryDocUrlStr="https://provider_discovery_service_url" name="custom_oauth_service_name" providerNameStr="identity_provider_name" redirectUrlStr="mws_url" roleNameStr="custom_role_name" scopeStr=“openid,profile,email" serviceEnabled="true"sortID="number" userAlias="oauth.folder.portlets.admin"></wm_xt_oauthsvc___oauthadminportlet>
</CONTEXT>
</CONFIG>
Note: If using a custom login portlet, substitute the value of the userAlias attribute with the alias of your portlet.
Customizing the My webMethods Login Page
You can modify the My webMethods login page to include a preconfigured “Login with ProviderName” button:
- Navigate to Folders > System > Portlets > Administration > OAuth Provider Configurations.
- Click Tools > Edit page, and then drag the Login portlet to the OAuth Provider Configurations page.
- If required, modify the Portlet Preferences and save your changes.
Creating a custom My webMethods login page
Alternatively, you can build an entirely custom login page instead of using the preconfigured button:
- Create and deploy to My webMethods Server a portlet application, You portlet must include a control with a link to the endpoint URI of your identity provider. This is the Auth URL, generated by My webMethods Server when creating the OAuth configuration.
- Create a custom page and add both the system Login portlet and your custom portlet to it.
- Enter a custom page alias. The custom page alias is required to a custom login rule later.
Adding a custom login rule
- Navigate to Folders > Administrative Folders > Administration Dashboard > User Interface > Manage Login Page Rules and create a new custom login rule.
- For result, enter the alias of the OAuth Configurations page (oauth.folder.portlets.admin), or the alias of your custom login portlet.
- Modify the rule evaluation order to include the newly created rule at the top.
Login Page Examples
With the preconfigured login button
With a custom portlet and a login link:
Creating a custom service that registers My webMethods Server users
- Create a web application project, add a class that implements IOAuthUserService:
package com.softwareag.univoauthsvc;
import com.webmethods.portal.portlet.wm_xt_oauthsvc.model.IOAuthUserService;
public class DummyCreateUserStrategy implements IOAuthUserService {
}
2. Create a BND file with export package instructions as follows:
Service-Component: OSGI-INF/*
Export-Package: com.softwareag.univoauthsvc,\
*
3. Register your service as an OSGI declarative service by adding an xml file in the OSGI-INF directory of the project:
<?xml version="1.0" encoding="UTF-8"?>
<component name="DummyCreateUserStrategy">
<service>
<provide interface='com.webmethods.portal.portlet.wm_xt_oauthsvc.model.IOAuthUserService'/>
</service>
<implementation class='com.softwareag.univoauthsvc.DummyCreateUserStrategy'/>
</component>
Configure My webMethods Server to use a custom service for registering users
Create new, or modify an existing Oauth2 Configuration to use the newly created service. On the OAuth Configuration Properties page:
- For User Service, enter the name of your custom service.
- For Role Name, enter the name of the role to which My webMethods Server will assign the newly registered users. The role will be created automatically, and selected claims will be added as dynamic role attributes. If you do not specify a role name, My webMethods Server assigns users to the default role OAuthSinkRole.
- For Role Name Attributes, enter a list of comma-separated values for the claims to add as membership attributes of the role.