Skip to content

Sample Static Configuration for using Google Authentication

Jump to bottom Edit New page
Justin Richer edited this page May 28, 2015 · 7 revisions

Google does not allow dynamic client registration, but is otherwise compliant with the OpenID Connect protocol. You have to have the Google+ API enabled in your Google Developer Console order for this to work. There you create

The following example is based on making the sample simple-web-app to work with a Static configuration that uses Google Authentication, one can extrapolate from this to get a Hybrid configuration working. The updates shown here were done to the src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml file (see client configuration).

  1. Set the Authentication Filter to use your configurations, in this sample Static configurations:

    <bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
   <property name="authenticationManager" ref="authenticationManager" />

   <property name="issuerService" ref="staticIssuerService" />
   <property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
   <property name="clientConfigurationService" ref="staticClientConfigurationService" />
   <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
   <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
</bean>

  2. Setup your issuer to be https://accounts.google.com. This example uses the static issuer service; note the effect of this on the simple client is that it will basically ignore anything you type on the entry box during Login. To use multiple issuers, use a different issuer service and have a selector page where one of the options is https://accounts.google.com.

    <bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
   <property name="issuer" value="https://accounts.google.com" />
</bean>

  3. Google's server configuration can be discovered dynamically from the issuer.

    <bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />

  4. Finally, you must statically configure your client to work with Google requirements. Replace anything called "my-*" with your actual values, obtained from your Google API via the Google Developers Console.

    <bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
   <property name="clients">
      <map>
         <entry key="https://accounts.google.com">
            <bean class="org.mitre.oauth2.model.RegisteredClient">
               <property name="clientName" value="my-client-name" />
               <property name="clientId" value="my-google-client-id-from-console" />
               <property name="clientSecret" value="my-google-client-secret-from-console" />
               <property name="scope">
                  <set value-type="java.lang.String">
                     <value>openid</value>
                     <value>email</value>
                     <value>profile</value>
                  </set>
               </property>
               <property name="redirectUris">
                  <set>
                     <value>https://my-redirect-uri-setup-in-google/</value>
                  </set>
               </property>
             </bean>
         </entry>
      </map>
    </property>
</bean>

Copyright ©2015 The MITRE Corporation and the MIT Kerberos and Internet Trust Consortium. Software is available under the Apache 2.0 license. Documentation available under the Creative Commons 3.0 By-NC license.

Links

Development

Clients

Servers

Clone this wiki locally