Configure Google Social Login for ELM

Configure Google Social Login for ELM

Any application that uses OpenID Connect to access Google APIs must have authorization credentials that identify the application to Google's OIDC Provider. The following steps explain how to create credentials for your project. Your applications can then use the credentials to access APIs that you have enabled for that project.

Create authorization credentials

1. Go to the Credentials page.
2. Click Configure Consent Screen → Select External → Click Create
   

• Click Create credentials > OAuth client ID.
  

• Select the Web application application type.
  

• Name your OIDC client and click Create
  
• The redirect URL points to the ID of your configured oidcLogin element in the following format

 https://liberty_host:SSL_port/ibm/api/social-login/redirect/oidclogin_id

• After configuration is complete, take note of the client ID that was created. You will need the client ID to complete the next steps.
  

• Move to OAuth consent screen and add Users in the Test user section which will be used for login into application. (The user should exist in ELM user repository with same UserID)
  

Import Google Certificates

• Access google.com on FireFox
• Click on Certificate from address bar -> Connection Secure -> More Information
  

• Click View Certificate
  

• Download the cert chain
  

• Import the downloaded certificate to the JAS truststore. Use a key management tool such as iKeyman or the Java keytool utility to add the certificate to the JAS truststore file.
  

Configure Social Login in JAS to Redirect to Google Login

You can configure a Liberty server so that users can authenticate to websites that are hosted on the Liberty server by logging in with their social media accounts. For JAS to connect to a different OIDC server we define our own social login configuration that is based on the OAuth 2.0 or OpenID Connect 1.0 standards.

In Liberty, social login is enabled by the socialLogin-1.0 feature. Here are instructions to configure Social Login for a 3rd Party OIDC server.

• Open the [JAS_HOME]\wlp\usr\servers\jazzop\server.xml configuration file and add the socialLogin-1.0 , ssl-1.0 and appSecurity-2.0 features.

<featureManager>
    <feature>socialLogin-1.0</feature>
    <feature>appSecurity-2.0</feature>
    <feature>ssl-1.0</feature>
    ...
</featureManager>

• Add the oidcLogin element and configure the connection to your OIDC provider
• Define the OIDC server endpoints on the authorizationEndpoint , tokenEndpoint , jwksUri and issuer attributes
  The Liberty server first redirects the user to the authorization endpoint to authenticate the user and obtain the OAuth authorization code. Then, it invokes the token endpoint to exchange the OAuth authorization code for an OAuth token.

• The endpoints data required in the configuration can be obtained from the discovery endpoint URL of the OIDC provider.
  Lets take an example of Google OIDC provider, the discovery endpoint URL is https://accounts.google.com/.well-known/openid-configuration

• The configuration with data from the discovery endpoint is as seen below and needs to be included in [JAS_HOME]\wlp\usr\servers\jazzop\appConfig.xml after oauthProvider section

 <oidcLogin id="myoidcserver" displayName="OIDC Login"
      clientId="[my_client_Id]"
      clientSecret="[my_client_password]"            
      authorizationEndpoint="https://accounts.google.com/o/oauth2/v2/auth"
      tokenEndpoint="https://www.googleapis.com/oauth2/v4/token"
      jwksUri="https://www.googleapis.com/oauth2/v3/certs"          
      issuer="https://accounts.google.com"
      scope="openid profile email"
      userNameAttribute="email" 
      mapToUserRegistry="true" > 
 </oidcLogin>

• The clientId and clientSecret are to be generated by your OIDC provider (In the next step)
• The redirect URL points to the ID of your configured oidcLogin element in the following format

 https://liberty_host:SSL_port/ibm/api/social-login/redirect/oidclogin_id

• For example, the redirect URL for the oidcLogin configuration example has the following format:

 https://[JAS_HOST]:[Port]/ibm/api/social-login/redirect/myoidcserver

Note:- As the Google OIDC provider works with user email address as User ID, update the configuration in JAS and JTS to use mail as userID instead of sAMAccountName default for MS AD.

To configure JAS login with email address, update ldapUserRegistry.xml located at [JAS_HOME]\wlp\usr\servers\jazzop and modify to match your enviornment, example below

Microsoft Active Directory

<server>
<ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=test,DC=com" 
        bindDN="CN=CLM Admin,CN=Users,DC=test,DC=com" bindPassword="********" 
        host="ldapserver" id="ldapserver:389" ignoreCase="true" port="389" realm="ldapserver:389"
        recursiveSearch="true" sslEnabled="false">  
        
        <activedFilters
                        userFilter="(&amp;(mail=%v)(objectcategory=user))"
                        groupFilter="(&amp;(cn=%v)(objectcategory=group))"
                        userIdMap="*:mail"
                        groupIdMap="*:cn"
                        groupMemberIdMap="memberOf:member" >
                </activedFilters>
    </ldapRegistry>
</server>

ApacheDS

<server>
        <ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="localhost" 
              id="localhostexample:10389" ignoreCase="true" port="10389"  
              realm="localhostexample:10389" recursiveSearch="true" sslEnabled="false">
<customFilters 
        groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfUniqueNames)))" 
        groupIdMap="*:cn" 
        groupMemberIdMap="groupOfUniqueNames:uniquemember" 
        userFilter="(&amp;(mail=%v)(objectclass=inetOrgPerson))" 
        userIdMap="*:mail" >
  </customFilters>
</ldapRegistry>
</server>

Update following parameters in JTS teamserver.properties file to use mail address as the User ID

com.ibm.team.repository.ldap.userAttributesMapping=userId\=mail,name\=cn,emailAddress\=mail
com.ibm.team.repository.ldap.findUsersByUserIdQuery=mail\=?1

Related topics: Deployment web home, Deployment web home

External links:

• IBM