OpenID Connect

One for all, all for one

Concept

OpenID Connect is a protocol for delegating the authentication of an application to a third-party application called an Identity Provider (IDP). Based on the OAuth 2 protocol and its authorisation code, OpenId Connect is used by FlowerDocs GUI to provide its users with a Single Sign On.

From the authentication page, users authenticate by selecting one of the Identity Providers displayed. Once authenticated at the Identity Provider, the user is redirected to a redirect URL redirect_uri from FlowerDocs GUI with an authorization code generated by the Identity Provider.

Based on this authorization code, FlowerDocs GUI initializes the user’s HTTP session after retrieving the id_token and access_token from the Identity Provider. A user token specific to FlowerDocs is then generated.

Prerequisites

1. FlowerDocs Core ’s secret key must be shared with FlowerDocs GUI in order to use this mechanism. Sharing the secret key is necessary so that FlowerDocs GUI can initialize the user session by generating a valid user token ( token.key property in the gui.properties file).

2. Authorization of the removal URL in the Identity Provider

Configuration

An Identity Provider OpenId Connect can be configured via the FlowerDocs administration console. This configuration is stored inthe OAuthClientConfiguration class technical documents. The various parameters to be entered are stored in tags.


OAuthClientConfiguration document class 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns5:DocumentClass category="DOCUMENT" active="false" technical="true" xmlns="http://flower.com/docs/domain/common" xmlns:ns2="http://flower.com/docs/domain/componentclass" xmlns:ns4="http://flower.com/docs/domain/tagclass" xmlns:ns3="http://flower.com/docs/domain/i18n" xmlns:ns6="http://flower.com/docs/domain/component" xmlns:ns20="http://flower.com/docs/domain/security" xmlns:ns5="http://flower.com/docs/domain/documentclass" xmlns:ns8="http://flower.com/docs/domain/search" xmlns:ns7="http://flower.com/docs/domain/acl" xmlns:ns13="http://flower.com/docs/domain/scope" xmlns:ns9="http://flower.com/docs/domain/file" xmlns:ns12="http://flower.com/docs/domain/reservation" xmlns:ns11="http://flower.com/docs/domain/task" xmlns:ns22="http://flower.com/docs/domain/folderclass" xmlns:ns10="http://flower.com/docs/domain/taskclass" xmlns:ns21="http://flower.com/docs/domain/virtualfolderclass" xmlns:ns17="http://flower.com/docs/domain/folder" xmlns:ns16="http://flower.com/docs/domain/document" xmlns:ns15="http://flower.com/docs/domain/report" xmlns:ns14="http://flower.com/docs/domain/workflow" xmlns:ns19="http://flower.com/docs/domain/fact" xmlns:ns18="http://flower.com/docs/domain/virtualFolder">
    <id>OAuthClientConfiguration</id>
    <ns2:data>
        <ACL>acl-admin</ACL>
    </ns2:data>
    <ns2:tagReferences tagName="ClientId" mandatory="true" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="ClientSecret" mandatory="true" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="AuthorizationGrantType" mandatory="false" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="RedirectUriTemplate" mandatory="true" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="Scope" mandatory="false" multivalued="true" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="AuthorizationUri" mandatory="true" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="TokenUri" mandatory="true" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="JwkSetUri" mandatory="false" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="UserInfoUri" mandatory="true" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="UserNameAttributeName" mandatory="true" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="MemberOfAttribute" mandatory="false" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="RegistrationId" mandatory="true" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="ClientName" mandatory="false" multivalued="false" technical="false" readonly="false" order="0" />
    <ns2:tagReferences tagName="Icon" mandatory="false" multivalued="false" technical="false" readonly="false" order="0" />
  	<ns2:tagReferences tagName="RegistrationOrder" mandatory="false" multivalued="false" technical="false" readonly="false" order="10">
        <ns4:descriptions language="EN">
            <ns3:value>Loading order</ns3:value>
        </ns4:descriptions>
        <ns4:descriptions language="FR">
            <ns3:value>Loading order</ns3:value>
        </ns4:descriptions>
        <ns4:pattern></ns4:pattern>
    </ns2:tagReferences>
	<ns2:displayNames language="EN">
		<ns3:value>oAuthClients configuration</ns3:value>
	</ns2:displayNames>
	<ns2:displayNames language="FR">
</ns5:DocumentClass>

Access account

Most Identity Providers require authentication to start the authentication process. To configure the account used by FlowerDocs to contact the Identity Provider, it is necessary to value the tags:

  • ClientId: the identifier representing the client application (or Relying party): FlowerDocs GUI
  • ClientSecret: the password associated with the identifier
  • RedirectUriTemplate: template used to generate the parameter redirect_uri (value must be set to {baseUrl}/login/oauth2/code/{registrationId})
  • Scope: OAuth 2.0 scopes (at least openid and email)
  • UserNameAttributeName: Name of attribute to be used as user identifier
  • RegistrationId: Unique identifier for authorization server
  • ClientName: Customer name
  • Icon: Font Awesome icon to display on login page
  • MemberOfAttribute: Attribute name for providing groups

Endpoints

The various endpoints required by the OpenId Connect protocol must be configured using the following tags:

  • AuthorizationUri: User authorization endpoint
  • TokenUri: Endpoint for token recovery
  • JwkSetUri: Endpoint used to access the authorization server’s public key (JWK) used to validate information received
  • UserInfoUri: Endpoint displaying user attributes (or claims)

For more details, see specifications OpenId Connect

Examples


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:Document category="DOCUMENT" name="Google" xmlns="http://flower.com/docs/domain/common"
    xmlns:ns2="http://flower.com/docs/domain/component" xmlns:ns3="http://flower.com/docs/domain/document">
    <id>Google</id>
    <ns2:data>
        <ns2:classId>OAuthClientConfiguration</ns2:classId>
    </ns2:data>
    <ns2:Tags>
        <ns2:tags name="ClientId" readOnly="false">
            <ns2:value>***</ns2:value>
        </ns2:tags>
        <ns2:tags name="ClientSecret" readOnly="false">
            <ns2:value>***</ns2:value>
        </ns2:tags>
        <ns2:tags name="RedirectUriTemplate" readOnly="false">
            <ns2:value>{baseUrl}/login/oauth2/code/{registrationId}</ns2:value>
        </ns2:tags>
        <ns2:tags name="Scope" readOnly="false">
            <ns2:value>openid</ns2:value>
            <ns2:value>profile</ns2:value>
            <ns2:value>email</ns2:value>
            <ns2:value>address</ns2:value>
            <ns2:value>phone</ns2:value>
        </ns2:tags>
        <ns2:tags name="AuthorizationUri" readOnly="false">
            <ns2:value>https://accounts.google.com/o/oauth2/v2/auth</ns2:value>
        </ns2:tags>
        <ns2:tags name="TokenUri" readOnly="false">
            <ns2:value>https://www.googleapis.com/oauth2/v4/token</ns2:value>
        </ns2:tags>
        <ns2:tags name="JwkSetUri" readOnly="false">
            <ns2:value>https://www.googleapis.com/oauth2/v3/certs</ns2:value>
        </ns2:tags>
        <ns2:tags name="UserInfoUri" readOnly="false">
            <ns2:value>https://www.googleapis.com/oauth2/v3/userinfo</ns2:value>
        </ns2:tags>
        <ns2:tags name="UserNameAttributeName" readOnly="false">
            <ns2:value>sub</ns2:value>
        </ns2:tags>
        <ns2:tags name="RegistrationId" readOnly="false">
            <ns2:value>google</ns2:value>
        </ns2:tags>
        <ns2:tags name="ClientName" readOnly="false">
            <ns2:value>Google</ns2:value>
        </ns2:tags>
        <ns2:tags name="Icon" readOnly="false">
            <ns2:value>border-danger text-danger mdi mdi-google</ns2:value>
        </ns2:tags>
    </ns2:Tags>
</ns3:Document>


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:Document category="DOCUMENT" name="Microsoft" xmlns="http://flower.com/docs/domain/common"
    xmlns:ns2="http://flower.com/docs/domain/component" xmlns:ns3="http://flower.com/docs/domain/document">
    <id>Microsoft</id>
    <ns2:data>
        <ns2:classId>OAuthClientConfiguration</ns2:classId>
    </ns2:data>
    <ns2:Tags>
        <ns2:tags name="ClientId" readOnly="false">
            <ns2:value>***</ns2:value>
        </ns2:tags>
        <ns2:tags name="ClientSecret" readOnly="false">
            <ns2:value>***</ns2:value>
        </ns2:tags>
        <ns2:tags name="AuthorizationGrantType" readOnly="false">
            <ns2:value>{baseUrl}/login/oauth2/code/{registrationId}</ns2:value>
        </ns2:tags>
        <ns2:tags name="RedirectUriTemplate" readOnly="false">
            <ns2:value>{baseUrl}/login/oauth2/code/{registrationId}</ns2:value>
        </ns2:tags>
        <ns2:tags name="Scope" readOnly="false">
            <ns2:value>openid</ns2:value>
            <ns2:value>profile</ns2:value>
            <ns2:value>email</ns2:value>
        </ns2:tags>
        <ns2:tags name="AuthorizationUri" readOnly="false">
            <ns2:value>https://login.microsoftonline.com/common/oauth2/v2.0/authorize</ns2:value>
        </ns2:tags>
        <ns2:tags name="TokenUri" readOnly="false">
            <ns2:value>https://login.microsoftonline.com/common/oauth2/v2.0/token</ns2:value>
        </ns2:tags>
        <ns2:tags name="JwkSetUri" readOnly="false">
            <ns2:value>https://login.microsoftonline.com/common/discovery/v2.0/keys</ns2:value>
        </ns2:tags>
        <ns2:tags name="UserInfoUri" readOnly="false">
            <ns2:value>https://graph.microsoft.com/oidc/userinfo</ns2:value>
        </ns2:tags>
        <ns2:tags name="UserNameAttributeName" readOnly="false">
            <ns2:value>sub</ns2:value>
        </ns2:tags>
        <ns2:tags name="RegistrationId" readOnly="false">
            <ns2:value>microsoft</ns2:value>
        </ns2:tags>
        <ns2:tags name="ClientName" readOnly="false">
            <ns2:value>Microsoft</ns2:value>
        </ns2:tags>
        <ns2:tags name="Icon" readOnly="false">
            <ns2:value>border-info text-info mdi mdi-microsoft</ns2:value>
        </ns2:tags>
    </ns2:Tags>
</ns3:Document>

Automatic connection

To authenticate a user automatically using this authentication mechanism, you can add the parameter sso=auto to the URL.

With this parameter, the user is automatically authenticated using OpenId Connect when accessing the login page.