OAuth2 – Learning Curve

Provisioning Users in ForgeRock OpenAM Using Social Login

I had left a task unfinished yesterday. When I published my previous post on to my little space in the blogosphere, I kept aside a crucial piece of information. If you haven’t read/viewed my earlier blog on ForgeRock OpenAM Social Authentication (Facebook) Using OAuth2 and don’t know how to configure OAuth2 Authentication Module in ForgeRock OpenAM, I’d request you to first take a look at it.

And now here’s the missing thread: in the last video, we authenticated the OpenAM users against their Facebook Account, but then they had their profile available in the OpenAM Identity Repository as well, which only meant that on Successful Authentication with Facebook, if the users did not have their profile in OpenAM, they were not let in. We take a different stand this time around allowing in even those users without an OpenAM profile, by having OpenAM provision their accounts in its Identity Repository using the attributes returned by Facebook on successful authentication.

Enjoy!

ForgeRock OpenIG as OAuth 2.0 Resource Server

First things first, screen-cast that follows this write up is based on the ForgeRock documentation on OpenIG that’s found here. Secondly, if you aren’t familiar with ForgeRock OpenIG or ForgeRock OpenAM, I’d recommend you to do some reading on the products from the official ForgeRock documentation or watch the following screen-casts on it to become familiarized with it:

ForgeRock OpenIG
– ForgeRock OpenIG Installation
– ForgeRock OpenIG: Getting Credentials from a File Data Store
– ForgeRock OpenIG: Getting Credentials from a JDBC Data Store
– ForgeRock OpenIG: Getting Credentials from ForgeRock OpenAM

ForgeRock OpenAM
– ForgeRock OpenAM Installation & Configuration
– Creating Realm in OpenAM and Setting Up OpenDJ as a Data Store
– ForgeRock OpenAM Authentication With Google Account Using OAuth2
– ForgeRock OpenAM High Availability Deployment
– Configuring Database as OpenAM Log Type
– ForgeRock OpenAM 12: Switching from XUI to Legacy UI
– Adding User Profile Attribute in ForgeRock OpenAM

Cut to present, we have OpenIG acting as a resource server. So in the video log, you’ll see the curl command being used to contact OpenAM to get an Access Token, use the same command to contact OpenIG with the Access Token, which is when OpenIG (acting as a resource server), will contact OpenAM (acting as an authorization server) for validating the token. Once validated, OpenIG will apply additional filters to post the credentials to a HTTP Server and get the user profile in response to it. A one-liner definition for the mouthful of jargon I used above can be found here. The illustration below might make the long story said above slightly shorter.

Now to the real action:

ForgeRock OpenAM Authentication with Google Account Using OAuth2

ForgeRock OpenAM supports a number of Authentication Modules that can be used to verify the identity of a user attempting to login to the applications protected by OpenAM. One of the biggest strengths of OpenAM is the flexibility that it gives to plug in a Custom Authentication Module in the event the Out of The Box modules do not meet the requirements. Some details around the same can be found here.

In the following video that has a running time of approximately nine minutes, you’ll see an OpenAM instance being configured to contact Google for identifying a user by using OAuth2. Google’s literature about their support for OAuth2 is here in case if you are interested to read.

Enjoy!