Authorizing Users in a Model that Supports OpenID Authentication

OSLC implementation in ProCloud Server supports a type of OpenID authentication called 'Authentication using the Authorization Code Flow'. The process of authorizing the user has these steps:

The user sends an authorization request to the Authorization Endpoint in the OpenID Server.
OpenID Server authenticates the user and sends them an Authorization Code.
The user POSTs the Authorization Code to OSLC using the /oslc/am/login/ call.
OSLC validates the Authorization Code by contacting the OpenID Server.
Successful validation returns XML containing the User Authentication Token (amongst other information) in the XML element 'ss:useridentifier'.

User Authentication Token in a Model that Supports OpenID Authentication

Step	Action	See also
1	Determine the Authorization Endpoint in the OpenID Server by retrieving the Service Provider Resource (using the /oslc/am/sp/ call). If the model supports OpenID Authentication, and if Pro Cloud Server is able to contact the OpenID Server, then the Authorization Endpoint will be available in the oslc:authorizationURI element.
2	Send a GET request to the Authorization Endpoint, with these URL parameters to authorize the user via a Web Browser: response_type client_id scope redirect_uri The authorization request will have this format: <AUTHORIZATION ENDPOINT>?response_type=code&client_id=<CLIENT ID>&scope=<SCOPE>&redirect_uri=<REDIRECT URI> For example: http://192.168.1.106:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=WebEA&scope=openid&redirect_uri=http://localhost/openid/callback
3	When authenticated, the OpenID Server will send an Authorization Code back to the user as a URL parameter in the redirect URI. For example : http://localhost/openid/callback?session_state=18f42600&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..yP6Yee4H_4
4	Retrieve the value of the URL parameter code and send it to OSLC by POSTing it to: URL : <protocol>://<server>/<model_name>/oslc/am/login/ POST Body : sso=openid;code=<AUTHORIZATION CODE>;redirecturi=<REDIRECT URI> For example, the POST Body might be: sso=openid;code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..yP6Yee4H_4;redirecturi=http://localhost/openid/callback;
5	OSLC validates the Authorization Code by contacting the OpenID Server and, if successful, returns a response XML that contains a User Authentication Token. Pass this User Authentication Token with every OSLC Resource/Resource Feature Create, Update, Retrieve and Delete request.

Notes

This facility is available through the Pro Cloud Server, with a valid license
An OSLC request will not be processed by the Pro Cloud Server unless the User Authentication Token is passed in with the request on a security-enabled model
30 minutes of inactivity will log you out of a model; you will have to login again by POSTing to the credential validation URL
In the Authorization Endpoint GET request, values for the URL parameters 'client_id', 'scope' and 'redirect_uri' will be defined/available in the OpenID Server configuration

Learn more

OpenID Authentication using Authorization Code Flow (Online resource)
OpenID Authentication Request (Online Resource)
Service Provider and Service Provider Resource
User Credentials for accessing OSLC RESTful API