How to evaluate the Connect2id server at a host other than localhost
Out of the box the Connect2id server package is configured for IP 127.0.0.1 (localhost) operation. This also applies to the demo OpenID Connect client that is deployed into the same Apache Tomcat servlet container.
To set up the Connect2id server for client access from other hosts follow the instructions below:
Replace
server-hostwith the host name or IP address where the Tomcat container with thec2id,c2id-login,password-grant-handlerandldapauthservices are deployed, e.g.192.168.100.1.Replace
client-hostwith the host name or IP address where the Tomcat container with theoidc-clientapplication is deployed, e.g.192.168.100.2.
You don't need to provision Tomcat with an SSL certificate to evaluate basic operation of the Connect2id server, but for proper testing and development you'll definitely do (and a valid hostname also).
1. Server configuration
Edit tomcat/webapps/c2id/WEB-INF/oidcProvider.properties:
// The OpenID provider / OAuth 2.0 server URL
op.issuer = http://[server-host]:8080/c2id
// The OAuth 2.0 server authorisation endpoint
op.authz.endpoint = http://[server-host]:8080/c2id-login
// Allow clients to register and use plain HTTP redirect_uris
op.reg.rejectNonTLSRedirectionURIs=false
Restart the c2id application for the changes to take effect.
If you open the Connect2id server banner page at
http://[server-host]:8080/c2id you should see that the endpoint URLs have
been updated.
2. Client configuration
2.1 Register a new client
Register a new minimal client at the Connect2id server clients endpoint:
POST /c2id/clients HTTP/1.1
Host: [server-host]
Content-Type: application/json
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
{
"redirect_uris" : [ "http://[client-host]:8080/oidc-client/cb" ]
}
The guide has more examples, e.g. how to set a client name and logo, etc.
Note, the registration request is cleared with the configured master access token for the clients endpoint, passed via the Authorization header:
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
The redirect_uris must include the callback URL of the demo client where
authorisation responses from the Connect2id server will be directed. The host
and the client path must match exactly.
On registration success the Connect2id server will return the client details. Copy the following parameters:
client_id-- Generated unique ID for the client.client_secret-- The secret for basic authentication. The Connect2id server supports more secure mechanisms and we recommend you use them.
The client details can be queried at any time with an HTTP GET
call on the resource specified by
the registration_client_uri, using the master access
token or the token in the
registration_access_token (limits access to the registered client only, for
self-service purposes).
2.1 Reconfigure the demo OpenID Connect client
Edit tomcat/webapps/oidc-client/WEB-INF/client.properties to set the new
Connect2id server endpoints and the client_id, client_secret and client
host for the callback URL:
# The default OpenID Connect Provider (OP) properties #
op.iss = http://[server-host]:8080/c2id
op.jwks_uri = http://[server-host]:8080/c2id/jwks.json
op.authz_uri = http://[server-host]:8080/c2id-login
op.token_uri = http://[server-host]:8080/c2id/token
op.userinfo_uri = http://[server-host]:8080/c2id/userinfo
# The default OpenID Connect Client (RP) properties #
rp.client_id = [client_id]
rp.client_secret = [client_secret]
rp.redirect_uri = http://[client-host]:8080/oidc-client/cb
Restart the oidc-client application for the changes to take effect.
If you open the demo client page at http://[client-host]:8080/oidc-client/
and examine the "OpenID provider details" and "Client details" tabs you should
see the new values.