OpenID Connect for W.I.S.V. 'Christiaan Huygens'.
OpenID Connect (OIDC) lets you log into a remote site or application using your identity without exposing your credentials. In addition, OIDC can provide this application with additional user information like full name or phone number. For W.I.S.V. 'Christiaan Huygens', this OIDC implementation is configured to allow login through TU Delft NetID (SAML) and CH Google Accounts. Both login methods are linked to the Dienst2 member administration to verify identity. Dienst2 is also the source of any additional user information.
This code is hosted for production use at connect.ch.tudelft.nl. Developers can register their own applications by logging in there.
This project is a WAR overlay for MITREid Connect, which is included from Maven Central.
- Install JDK 1.8:
File
>Project Structure
>Project SDK
>+
>Download
>1.8
(Cornetto
works) - Set up the project:
File
>Project Structure
>Project
>Project SDK
>1.8
>Apply
- Copy
config/application-example.properties
toconfig/application.properties
and make any necessary changes. An HSQLDB instance will be launched with demo data; to log in, useadmin:password
. - To make sure the config is loaded we need to configure the servlet container with the following parameters:
where
-Dspring.config.location=$PROJECT_DIR$/config/application.properties -Dlog4j.configurationFile=$PROJECT_DIR$/config/log4j2-dev.xml -Djavax.net.ssl.trustStore=$PROJECT_DIR$/wisvch.truststore -Djavax.net.ssl.trustStorePassword=changeit
$PROJECT_DIR$
is the path to the project. These values can be places in.mvn/jvm.config
. Or you can add them to theVM options
in theRun/Debug Configurations
dialog. - Run the project with
mvn jetty:run
or via the Maven toolbar in IntelliJ IDEA.
Some SAML clients require HTTPS. To enable HTTPS, you can follow the instructions below.
- Create a keystore with a self-signed certificate:
keytool -genkey -alias jetty -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore jetty.p12 -validity 3650
- Convert the keystore to a JKS keystore:
keytool -importkeystore -srckeystore jetty.p12 -destkeystore jetty.jks -deststoretype JKS
- Configure the keystore in
application.properties
by setting:and set the issuer URI toserver.ssl.key-keystore=jetty.jks server.ssl.key-store-password=[YOUR KEYSTORE PASSWORD] server.ssl.key-password=[YOUR KEY PASSWORD]
https://localhost:8443/
:server.issuer=https://localhost:8443 server.port=8443 server.force_https=true
- Edit
pom.xml
to configure the Jetty plugin:make sure that you do not commit this change.<plugin> <groupId>org.eclipse.jetty</groupId> <artifactId>jetty-maven-plugin</artifactId> <version>9.3.5.v20151012</version> <configuration> <systemPropertiesFile>${project.basedir}/config/application.properties</systemPropertiesFile> <jettyXml>jetty.xml</jettyXml> </configuration> </plugin>
- If you want to use Google SAML, you are not allowed to redirect traffic to localhost. You can use ngrok to
create a tunnel to your local machine. You can then use the ngrok URL as the issuer URI:
ngrok http https://localhost:8443
Configure the location of the properties file with -Dspring.config.location=/path/to/config/application.properties
as
a JVM parameter. Spring profile production
is used in production; to enable, add -Dspring.profiles.active=production
as a JVM parameter.
Building:
docker build .
Production images are built using a GitHub Actions workflow and can be downloaded from the GitHub Container Registry.