documentation/9.4.x/openid-support.html - www.eclipse.org/jetty - Git at Google

 <html><head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>OpenID Support</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="configuring-security.html" title="Chapter&nbsp;7.&nbsp;Configuring Security"><link rel="prev" href="spnego-support.html" title="SPNEGO Support"><link rel="next" href="configuring-jsp.html" title="Chapter&nbsp;8.&nbsp;Configuring JSP Support"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script>
       hljs.initHighlightingOnLoad();
     </script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
             Version: 9.4.28-SNAPSHOT</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">OpenID Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="spnego-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a>&nbsp;</td><th width="60%" align="center">Chapter&nbsp;7.&nbsp;Configuring Security<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right">&nbsp;<a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
           <span class="website">www.webtide.com</span></a></h5><p>
  private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
  scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
       </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="openid-support"></a>OpenID Support</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="openid-support.html#_external_setup">External Setup</a></span></dt><dt><span class="section"><a href="openid-support.html#_distribution_configuration">Distribution Configuration</a></span></dt><dt><span class="section"><a href="openid-support.html#_embedded_configuration">Embedded Configuration</a></span></dt><dt><span class="section"><a href="openid-support.html#_scopes">Scopes</a></span></dt><dt><span class="section"><a href="openid-support.html#_roles">Roles</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_external_setup"></a>External Setup</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_registering_an_app_with_openid_provider"></a>Registering an App with OpenID Provider</h4></div></div></div><p>You must register the app with an OpenID Provider such as Google or Amazon.
 This will give you a Client ID and Client Secret.
 Once set up you must also register all the possible URI&#8217;s for your webapp with the path <code class="literal">/j_security_check</code> so that the OpenId Provider will allow redirection back to the webapp.</p><p>These may look like</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">http://localhost:8080/openid-webapp/j_security_check</code></li><li class="listitem"><code class="literal">https://example.com/j_security_check</code></li></ul></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_distribution_configuration"></a>Distribution Configuration</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_openid_provider_configuration"></a>OpenID Provider Configuration</h4></div></div></div><p>To enable OpenID support, you first need to activate the <code class="literal">openid</code> module in your implementation.</p><div class="screenexample"><pre class="screen">java -jar {JETTY_HOME}/start.jar --add-to-start=openid</pre></div><p>To configure OpenID Authentication with Jetty you will need to specify the OpenID Provider&#8217;s issuer identifier (case sensitive URL using the <code class="literal">https</code> scheme) and the OAuth 2.0 Client ID and Client Secret.
 If the OpenID Provider does not allow metadata discovery you will also need to specify the token endpoint and authorization endpoint of the OpenID Provider.
 These can be set as properties in the <code class="literal">start.ini</code> or <code class="literal">start.d/openid.ini</code> files.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_webapp_specific_configuration_in_web_xml"></a>WebApp Specific Configuration in web.xml</h4></div></div></div><p>The <code class="literal">web.xml</code> file needs some specific configuration to use OpenID.
 There must be a <code class="literal">login-config</code> element with an <code class="literal">auth-method</code> value of <code class="literal">OPENID</code>, and a <code class="literal">realm-name</code> value of the exact URL string used to set the OpenID Provider.</p><p>To set the error page, an init param is set at <code class="literal">"org.eclipse.jetty.security.openid.error_page"</code>, its value should be a path relative to the webapp where authentication errors should be redirected.</p><p>Example:</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>&lt;login-config&gt;
   &lt;auth-method&gt;OPENID&lt;/auth-method&gt;
   &lt;realm-name&gt;https://accounts.google.com&lt;/realm-name&gt;
 &lt;/login-config&gt;
 &lt;context-param&gt;
   &lt;param-name&gt;org.eclipse.jetty.security.openid.error_page&lt;/param-name&gt;
   &lt;param-value&gt;/error&lt;/param-value&gt;
 &lt;/context-param&gt;</code></pre></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_embedded_configuration"></a>Embedded Configuration</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_define_the_literal_openidconfiguration_literal_for_a_specific_openid_provider"></a>Define the <code class="literal">OpenIdConfiguration</code> for a specific OpenID Provider.</h4></div></div></div><p>If the OpenID Provider allows metadata discovery then you can use.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>OpenIdConfiguration openIdConfig = new OpenIdConfiguration(ISSUER, CLIENT_ID, CLIENT_SECRET);</code></pre><p>Otherwise you can manually enter the necessary information:</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>OpenIdConfiguration openIdConfig = new OpenIdConfiguration(ISSUER, TOKEN_ENDPOINT, AUTH_ENDPOINT, CLIENT_ID, CLIENT_SECRET);</code></pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_configuring_an_literal_openidloginservice_literal"></a>Configuring an <code class="literal">OpenIdLoginService</code></h4></div></div></div><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>LoginService loginService = new OpenIdLoginService(openIdConfig);
 securityHandler.setLoginService(loginService);</code></pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_configuring_an_literal_openidauthenticator_literal_with_literal_openidconfiguration_literal_and_error_page_redirect"></a>Configuring an <code class="literal">OpenIdAuthenticator</code> with <code class="literal">OpenIdConfiguration</code> and Error Page Redirect</h4></div></div></div><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>Authenticator authenticator = new OpenIdAuthenticator(openIdConfig, "/error");
 securityHandler.setAuthenticator(authenticator);
 servletContextHandler.setSecurityHandler(securityHandler);</code></pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_usage"></a>Usage</h4></div></div></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a name="_claims_and_access_token"></a>Claims and Access Token</h5></div></div></div><p>Claims about the user can be found using attributes on the session attribute <code class="literal">"org.eclipse.jetty.security.openid.claims"</code>, and the full response containing the OAuth 2.0 Access Token can be found with the session attribute <code class="literal">"org.eclipse.jetty.security.openid.response"</code>.</p><p>Example:</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>Map&lt;String, Object&gt; claims = (Map)request.getSession().getAttribute("org.eclipse.jetty.security.openid.claims");
 String userId = claims.get("sub");

 Map&lt;String, Object&gt; response = (Map)request.getSession().getAttribute("org.eclipse.jetty.security.openid.response");
 String accessToken = response.get("access_token");</code></pre></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_scopes"></a>Scopes</h3></div></div></div><p>The OpenID scope is always used but additional scopes can be requested which can give you additional resources or privileges.
 For the Google OpenID Provider it can be useful to request the scopes <code class="literal">profile</code> and <code class="literal">email</code> which will give you additional user claims.</p><p>Additional scopes can be requested through the <code class="literal">start.ini</code> or <code class="literal">start.d/openid.ini</code> files, or with <code class="literal">OpenIdConfiguration.addScopes(...);</code> in embedded code.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_roles"></a>Roles</h3></div></div></div><p>If security roles are required they can be configured through a wrapped <code class="literal">LoginService</code> which is deferred to for role information by the <code class="literal">OpenIdLoginService</code>.</p><p>This can be configured in XML through <code class="literal">etc/openid-baseloginservice.xml</code> in the Distribution, or in embedded code using the constructor for the <code class="literal">OpenIdLoginService</code>.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>LoginService wrappedLoginService = ...; // Optional LoginService for Roles
 LoginService loginService = new OpenIdLoginService(openIdConfig, wrappedLoginService);</code></pre><p>When using authorization roles, the setting <code class="literal">authenticateNewUsers</code> becomes significant.
 If set to <code class="literal">true</code> users not found by the wrapped <code class="literal">LoginService</code> will still be authenticated but will have no roles.
 If set to <code class="literal">false</code> those users will be not be allowed to authenticate and are redirected to the error page.
 This setting is configured through the property <code class="literal">jetty.openid.authenticateNewUsers</code> in the <code class="literal">start.ini</code> or <code class="literal">start.d/openid.ini</code> file, or with <code class="literal">OpenIdLoginService.setAuthenticateNewUsers(...);</code> in embedded code.</p></div></div><script type="text/javascript">
       SyntaxHighlighter.all()
     </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="spnego-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="configuring-security.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">SPNEGO Support&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top">&nbsp;Chapter&nbsp;8.&nbsp;Configuring JSP Support</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
             See an error or something missing?
             <span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at
                 <span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2020-03-10)</i></span></div></p></body></html>
	<html><head>
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<title>OpenID Support</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="configuring-security.html" title="Chapter 7. Configuring Security"><link rel="prev" href="spnego-support.html" title="SPNEGO Support"><link rel="next" href="configuring-jsp.html" title="Chapter 8. Configuring JSP Support"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script>
	hljs.initHighlightingOnLoad();
	</script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
	Version: 9.4.28-SNAPSHOT</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">OpenID Support</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="spnego-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><th width="60%" align="center">Chapter 7. Configuring Security<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right"> <a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at
	<span class="website">www.webtide.com</span></a></h5><p>
	private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
	scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
	</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="openid-support"></a>OpenID Support</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="section"><a href="openid-support.html#_external_setup">External Setup</a></span></dt><dt><span class="section"><a href="openid-support.html#_distribution_configuration">Distribution Configuration</a></span></dt><dt><span class="section"><a href="openid-support.html#_embedded_configuration">Embedded Configuration</a></span></dt><dt><span class="section"><a href="openid-support.html#_scopes">Scopes</a></span></dt><dt><span class="section"><a href="openid-support.html#_roles">Roles</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_external_setup"></a>External Setup</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_registering_an_app_with_openid_provider"></a>Registering an App with OpenID Provider</h4></div></div></div><p>You must register the app with an OpenID Provider such as Google or Amazon.
	This will give you a Client ID and Client Secret.
	Once set up you must also register all the possible URI’s for your webapp with the path <code class="literal">/j_security_check</code> so that the OpenId Provider will allow redirection back to the webapp.</p><p>These may look like</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><code class="literal">http://localhost:8080/openid-webapp/j_security_check</code></li><li class="listitem"><code class="literal">https://example.com/j_security_check</code></li></ul></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_distribution_configuration"></a>Distribution Configuration</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_openid_provider_configuration"></a>OpenID Provider Configuration</h4></div></div></div><p>To enable OpenID support, you first need to activate the <code class="literal">openid</code> module in your implementation.</p><div class="screenexample"><pre class="screen">java -jar {JETTY_HOME}/start.jar --add-to-start=openid</pre></div><p>To configure OpenID Authentication with Jetty you will need to specify the OpenID Provider’s issuer identifier (case sensitive URL using the <code class="literal">https</code> scheme) and the OAuth 2.0 Client ID and Client Secret.
	If the OpenID Provider does not allow metadata discovery you will also need to specify the token endpoint and authorization endpoint of the OpenID Provider.
	These can be set as properties in the <code class="literal">start.ini</code> or <code class="literal">start.d/openid.ini</code> files.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_webapp_specific_configuration_in_web_xml"></a>WebApp Specific Configuration in web.xml</h4></div></div></div><p>The <code class="literal">web.xml</code> file needs some specific configuration to use OpenID.
	There must be a <code class="literal">login-config</code> element with an <code class="literal">auth-method</code> value of <code class="literal">OPENID</code>, and a <code class="literal">realm-name</code> value of the exact URL string used to set the OpenID Provider.</p><p>To set the error page, an init param is set at <code class="literal">"org.eclipse.jetty.security.openid.error_page"</code>, its value should be a path relative to the webapp where authentication errors should be redirected.</p><p>Example:</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code><login-config>
	<auth-method>OPENID</auth-method>
	<realm-name>https://accounts.google.com</realm-name>
	</login-config>
	<context-param>
	<param-name>org.eclipse.jetty.security.openid.error_page</param-name>
	<param-value>/error</param-value>
	</context-param></code></pre></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_embedded_configuration"></a>Embedded Configuration</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_define_the_literal_openidconfiguration_literal_for_a_specific_openid_provider"></a>Define the <code class="literal">OpenIdConfiguration</code> for a specific OpenID Provider.</h4></div></div></div><p>If the OpenID Provider allows metadata discovery then you can use.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>OpenIdConfiguration openIdConfig = new OpenIdConfiguration(ISSUER, CLIENT_ID, CLIENT_SECRET);</code></pre><p>Otherwise you can manually enter the necessary information:</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>OpenIdConfiguration openIdConfig = new OpenIdConfiguration(ISSUER, TOKEN_ENDPOINT, AUTH_ENDPOINT, CLIENT_ID, CLIENT_SECRET);</code></pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_configuring_an_literal_openidloginservice_literal"></a>Configuring an <code class="literal">OpenIdLoginService</code></h4></div></div></div><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>LoginService loginService = new OpenIdLoginService(openIdConfig);
	securityHandler.setLoginService(loginService);</code></pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_configuring_an_literal_openidauthenticator_literal_with_literal_openidconfiguration_literal_and_error_page_redirect"></a>Configuring an <code class="literal">OpenIdAuthenticator</code> with <code class="literal">OpenIdConfiguration</code> and Error Page Redirect</h4></div></div></div><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>Authenticator authenticator = new OpenIdAuthenticator(openIdConfig, "/error");
	securityHandler.setAuthenticator(authenticator);
	servletContextHandler.setSecurityHandler(securityHandler);</code></pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="_usage"></a>Usage</h4></div></div></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a name="_claims_and_access_token"></a>Claims and Access Token</h5></div></div></div><p>Claims about the user can be found using attributes on the session attribute <code class="literal">"org.eclipse.jetty.security.openid.claims"</code>, and the full response containing the OAuth 2.0 Access Token can be found with the session attribute <code class="literal">"org.eclipse.jetty.security.openid.response"</code>.</p><p>Example:</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>Map<String, Object> claims = (Map)request.getSession().getAttribute("org.eclipse.jetty.security.openid.claims");
	String userId = claims.get("sub");

	Map<String, Object> response = (Map)request.getSession().getAttribute("org.eclipse.jetty.security.openid.response");
	String accessToken = response.get("access_token");</code></pre></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_scopes"></a>Scopes</h3></div></div></div><p>The OpenID scope is always used but additional scopes can be requested which can give you additional resources or privileges.
	For the Google OpenID Provider it can be useful to request the scopes <code class="literal">profile</code> and <code class="literal">email</code> which will give you additional user claims.</p><p>Additional scopes can be requested through the <code class="literal">start.ini</code> or <code class="literal">start.d/openid.ini</code> files, or with <code class="literal">OpenIdConfiguration.addScopes(...);</code> in embedded code.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_roles"></a>Roles</h3></div></div></div><p>If security roles are required they can be configured through a wrapped <code class="literal">LoginService</code> which is deferred to for role information by the <code class="literal">OpenIdLoginService</code>.</p><p>This can be configured in XML through <code class="literal">etc/openid-baseloginservice.xml</code> in the Distribution, or in embedded code using the constructor for the <code class="literal">OpenIdLoginService</code>.</p><pre xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><code>LoginService wrappedLoginService = ...; // Optional LoginService for Roles
	LoginService loginService = new OpenIdLoginService(openIdConfig, wrappedLoginService);</code></pre><p>When using authorization roles, the setting <code class="literal">authenticateNewUsers</code> becomes significant.
	If set to <code class="literal">true</code> users not found by the wrapped <code class="literal">LoginService</code> will still be authenticated but will have no roles.
	If set to <code class="literal">false</code> those users will be not be allowed to authenticate and are redirected to the error page.
	This setting is configured through the property <code class="literal">jetty.openid.authenticateNewUsers</code> in the <code class="literal">start.ini</code> or <code class="literal">start.d/openid.ini</code> file, or with <code class="literal">OpenIdLoginService.setAuthenticateNewUsers(...);</code> in embedded code.</p></div></div><script type="text/javascript">
	SyntaxHighlighter.all()
	</script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="spnego-support.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><td width="20%" align="center"><a accesskey="u" href="configuring-security.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right"> <a accesskey="n" href="configuring-jsp.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">SPNEGO Support </td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Configuring JSP Support</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
	See an error or something missing?
	<span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at
	<span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2020-03-10)</i></span></div></p></body></html>