DEV Community

Cover image for Use OAuth 2.0 and Open ID Connect in a Custom Application
Iyvonne Bett
Iyvonne Bett

Posted on • Edited on

Use OAuth 2.0 and Open ID Connect in a Custom Application

In this post, we'll explore secure authentication and authorization for custom applications by configuring Federated Single Sign-On (Federated SSO) between Oracle Identity Cloud Service and your app with OAuth 2.0 and OpenID Connect. We'll cover industry-standard protocols, provide step-by-step instructions, and highlight improvements to the original tutorial. Whether you're an experienced developer or just starting, this post is your guide to enhanced app security and a seamless user experience. Let's begin the journey together.


Background
Oracle Identity Cloud Service supports the following frameworks for federated SSO and authorization integration with custom applications:

  • OAuth 2.0: Framework for authorization, commonly used for third-party authorization requests with consent. See OAuth for more information.
  • OpenID Connect: Authentication protocol that provides Federated SSO leveraging the OAuth 2.0 authorization framework. See OpenID Connect for more information.

These standards provide the following benefits:

  • Federated SSO between custom applications and Oracle Identity Cloud Service. Resource owners (users accessing the Customer Quotes application) need a single login to access Oracle Identity Cloud Service plus all applications integrated. Oracle Identity Cloud Service handles the authentication and credentials themselves, insulating custom applications. This capability is provided by OpenID Connect with OAuth 2.0.
  • Authorization to perform operations on third-party servers with consent. Resource owners can decide at runtime whether the application should have the authorization to access data or perform tasks for them. This capability is provided by OAuth 2.0.

Scope
In this tutorial, you implement Federated SSO between Oracle Identity Cloud Service and Customer Quotes, a sample client application that serves as a hub for sales quotations. The authentication has the following flow:

OpenID Connect Authentication flow

The Customer Quotes application, after integration:

  • Requires just one login from the resource owner to access both Oracle Identity Cloud Service and the custom application.
  • Displays information about the resource owner (name and email), provided by Oracle Identity Cloud Service. (Customer Quotes does not store that information).

What Do You Need?

  • Experience developing in Java.
  • Access to Oracle Identity Cloud Service with authorisation to manage applications. (Identity Domain Administrator, Security Administrator, or Application Administrator).
  • Netbeans IDE 16 (bundle All or Java EE).
  • An Oracle IDCS account with an OAuth 2.0 client configured for your custom application.
  • Access to the custom application's codebase and the ability to modify it.


C:\Users\Iyvonne>git clone https://github.com/oracle-samples/idm-samples.git


Enter fullscreen mode Exit fullscreen mode
  • The IDCS OAuth 2.0 client ID and client secret, are used to authenticate the custom application with IDCS.
  • The IDCS authorization server URL is used to initiate the OAuth 2.0 authorization flow.
  • The IDCS token URL is used to exchange an authorization code for an access token.

Import the Oracle Identity Cloud Service Certificate in Glassfish

In this section, you export the SSL certificate from the Oracle Identity Cloud Service UI and import it into NetBeans Glassfish Server trust store. This step is required for the custom application to communicate with Oracle Identity Cloud Service via HTTPS.

Export Certificate from Oracle Identity Cloud Service

  • Launch your browser. (in this tutorial, we are using Google Chrome on Windows)
  • Access the Oracle Identity Cloud Service UI.
  • In the browser address bar, click view website information (locker icon), and then click Details.

Website Information

  • Click View Certificate.
  • Click Details then click Copy to File.

Certificate

  • Click Next, select Base-64 encoded X.509 (.CER), and then click Next.
  • Save the certificate as oracle.cer in a temporary folder such as C:\temp, click Next and then Finish.
  • Click OK, close the certification pop-up and your browser.

Import Oracle Identity Cloud Service Certificate in Glassfish

  • Launch NetBeans.

NetBeans

  • Click Services, expand Servers, right-click Glassfish Server, and then click Properties.
    click Properties

  • Record the Glassfish domains folder.

domains folder

  • Close NetBeans.
  • Launch a command prompt as administrator.
  • Enter where keytool to confirm that the key tool utility is available from your OS classpath.

Command Prompt

  • Navigate to NetBeans Glassfish domain folder and run the keytool command. Command Prompt
  • In the confirmation prompt, enter yes. Command Prompt
  • To confirm the import was a success, enter the command: Command Prompt
  • Close the command prompt.

Configuring a Client Application in Oracle Identity Cloud Service

In this task, you configure and activate the Customer Quotes application in Oracle Identity Cloud Service.
During configuration, you define how Oracle Identity Cloud Service integrates with your application.

  • In the Identity Cloud Service console, expand the Navigation Drawer, click Applications, and then click Add. Applications Applications
  • Select Confidential Application. Dialog box
  • Enter Customer Quotes as the Name, a Web application that works as a hub for all of your quotations. Access quotes and insights from customers from your browser as the Description, and then click Next. Customer Quotes
  • Select Configure this application as a client now. Customer Quotes
  • Click Configure this application as a client now, select Authorization Code as Allowed Grant Types, and enter the information according to the table, and then click Next. Customer Quotes Customer Quotes
Attribute Value Description
Redirect URL http://localhost:38187/cquotes/return URL where users will be redirected to cquotes after authentication/authorization in Oracle Identity Cloud Service
Logout URL http://localhost:38187/cquotes/logout URL that should be called by Oracle Identity Cloud Service during the logout process. When this URL is called, the resource owner session is terminated in Customer Quotes.
Post Logout Redirect URL http://localhost:38187/cquotes URL where the resource owner should be redirected after the Oracle Identity Cloud Service logout.
  • Click Next in the following panes until you reach the last pane. Then click Finish.
  • Save the Client ID and the Client Secret, and then click Close.

Keys

  • Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Activate

At this point, you have an application entry with a client ID and a client secret for integrating your application with Oracle Identity Cloud Service. In the next steps, you integrate your application with Oracle Identity Cloud Service.


Integrating Customer quotes with IDCS

  • Return to Netbeans and open the file cquotes > Source Packages > com.example.utils > ClientConfig.java. Tip: The ClientConfig.java file contains settings that the Customer Quotes application uses during runtime to connect to Oracle Identity Cloud Service.

Select ClientConfig.java

  • Update the CLIENT_ID, CLIENT_SECRET, and IDCS_URL as follows:

Update credentials

  • Save the ClientConfig.java file.

Testing the Integration

  • Return to your browser and make sure that you are not logged in to Oracle Identity Cloud Service.
  • In NetBeans, right-click cquotes, and then click Run. Your web browser displays the Customer Quotes application. Run Glassfish

Access https://localhost:38187/cquotes/.

Copy link, make sure port is correct

  • Click Login with Identity Cloud Service.

Launch

  • Authenticate with your credentials.

Login

  • After successful authentication, Oracle Identity Cloud Service redirects you back to the Customer Quotes application, which displays a welcome message.

Homepage
This indicates that the Federated SSO between Oracle Identity Cloud service and your application works.

  • In the upper-right corner, expand the menu and click My Profile.

Click My profile

  • Return to the Customer Quotes window, expand the upper-right corner menu and then click Logout. You should be redirected to the Oracle Technology Network website.
  • Access https://localhost:38187/cquotes/, and then Oracle Identity Cloud Service. You should not be recognized as a logged-in user in both places. This indicates that the logout worked.

Modifications Required

  • One important change you need to make is in the Servlet files.
  • For instance, in the ReturnServlet.java file replace Javax. Replace
  • With Jakarta.
    Replace

  • Do the same with all the Servlet files, for example, the AccessResourceServlet.java file.

Replace

Replace

  • In the Pom.xml file under dependencies add the below snippet.

Add this dependency

  • In the same file under plugins, add the following snippet.

Plugin

  • It is important to note that you must have Java JDK 8 installed and available via your Operating System. Under properties make sure the Java platform used to compile the project is JDK 8.

Top comments (0)