OpenID Support
Jetty supports authentication using the OpenID Connect protocol (see OpenID Connect Core 1.0).
This allows users to authenticate with third party OpenID Providers, making possible to integrate features like "Sign in with Google" or "Sign in with Microsoft", among others.
With OpenID Connect, Jetty applications can offload the responsibility of managing user credentials while enabling features like single sign-on (SSO).
External Configuration
To use OpenID Connect authentication with Jetty you are required to set up an external OpenID Provider for your web application; some examples of OpenID Providers are Google and Amazon.
Once you have set up your OpenID Provider you will have access to a Client ID and Client Secret which you can use to configure Jetty.
You must also configure your OpenID Provider to recognize the redirect URIs that your web application will use to handle authentication responses.
By default, the redirect path is /j_security_check, but this can be customized through the OpenIdAuthenticator configuration if needed.
For example, you may wish to register the following URIs:
-
For a deployed application,
https://example.com/j_security_check. -
For local development,
http://localhost:8080/j_security_check.
Ensure that all relevant environments where your web application is deployed have their corresponding URIs registered with the OpenID Provider to avoid authentication errors.
Jetty Configuration
Code Example
This is an example of how you can configure OpenID Connect authentication with an embedded Jetty environment with the Jetty Core API.
// To create an OpenIdConfiguration you can rely on discovery of the OIDC metadata.
OpenIdConfiguration openIdConfig = new OpenIdConfiguration(
"https://example.com/issuer", // ISSUER
"my-client-id", // CLIENT_ID
"my-client-secret" // CLIENT_SECRET
);
// Or you can specify the full OpenID configuration manually.
openIdConfig = new OpenIdConfiguration(
"https://example.com/issuer", // ISSUER
"https://example.com/token", // TOKEN_ENDPOINT
"https://example.com/auth", // AUTH_ENDPOINT
"https://example.com/logout", // END_SESSION_ENDPOINT
"my-client-id", // CLIENT_ID
"my-client-secret", // CLIENT_SECRET
"client_secret_post", // AUTH_METHOD (e.g., client_secret_post, client_secret_basic)
new HttpClient() // HttpClient instance
);
// The specific security handler implementation will change depending on whether you are using EE8/EE9/EE10/EE11 or Jetty Core API.
SecurityHandler.PathMapped securityHandler = new SecurityHandler.PathMapped();
server.insertHandler(securityHandler);
securityHandler.put("/auth/*", Constraint.ANY_USER);
// A nested LoginService is optional and used to specify known users with defined roles.
// This can be any instance of LoginService and is not restricted to be a HashLoginService.
HashLoginService nestedLoginService = new HashLoginService();
UserStore userStore = new UserStore();
userStore.addUser("<admin-user-subject-identifier>", null, new String[]{"admin"});
nestedLoginService.setUserStore(userStore);
// Optional configuration to allow new users not listed in the nested LoginService to be authenticated.
openIdConfig.setAuthenticateNewUsers(true);
// An OpenIdLoginService should be used which can optionally wrap the nestedLoginService to support roles.
LoginService loginService = new OpenIdLoginService(openIdConfig, nestedLoginService);
securityHandler.setLoginService(loginService);
// Configure an OpenIdAuthenticator.
securityHandler.setAuthenticator(new OpenIdAuthenticator(openIdConfig,
"/j_security_check", // The path where the OIDC provider redirects back to Jetty.
"/error", // Optional page where authentication errors are redirected.
"/logoutRedirect" // Optional page where the user is redirected to this page after logout.
));
// Session handler is required for OpenID authentication.
server.insertHandler(new SessionHandler());Application Usage
Here is an example of a Jetty Core Handler which handles authenticated requests by accessing the OpenID claims, and also handles authentication errors at /error.
class OpenIdExampleHandler extends Handler.Abstract
{
@Override
public boolean handle(Request request, Response response, Callback callback) throws Exception
{
PrintStream writer = new PrintStream(Content.Sink.asOutputStream(response));
String pathInContext = Request.getPathInContext(request);
if (pathInContext.startsWith("/error"))
{
// Handle requests to the error page which may have an error description parameter.
Fields parameters = Request.getParameters(request);
writer.println("error_description: " + parameters.get("error_description_jetty") + "<br>");
}
else
{
Principal userPrincipal = AuthenticationState.getUserPrincipal(request);
writer.println("userPrincipal: " + userPrincipal);
if (userPrincipal != null)
{
// You can access the full openid claims for an authenticated session.
Session session = request.getSession(false);
@SuppressWarnings("unchecked")
Map<String, String> claims = (Map<String, String>)session.getAttribute("org.eclipse.jetty.security.openid.claims");
writer.println("claims: " + claims);
writer.println("name: " + claims.get("name"));
writer.println("sub: " + claims.get("sub"));
}
}
writer.close();
callback.succeeded();
return true;
}
}Authorization with Security Roles
If security roles are required, they can be configured through a wrapped LoginService which is deferred to for role information by the OpenIdLoginService.
The wrapped LoginService be configured through the constructor arguments of OpenIdLoginService, or left null if no user roles are required.
When using authorization roles, the property authenticateNewUsers, which can be configured through the OpenIdConfiguration or directly on the OpenIdLoginService, becomes significant.
When authenticateNewUsers is set to true, users not found by the wrapped LoginService will still be authenticated but will have no roles.
When authenticateNewUsers is set to false, users not found by the wrapped LoginService will be not be allowed to authenticate and are redirected to the error page.