How to evaluate the Connect2id server at a host other than localhost

Out of the box the Connect2id server package is configured for IP (localhost) operation. This also applies to the demo OpenID Connect client that is deployed into the same Apache Tomcat servlet container.

To set up the Connect2id server for client access from other hosts follow the instructions below:

  • Replace server-host with the host name or IP address where the Tomcat container with the c2id, c2id-login, password-grant-handler and ldapauth services are deployed, e.g.

  • Replace client-host with the host name or IP address where the Tomcat container with the oidc-client application is deployed, e.g.

You don't need to provision Tomcat with an SSL certificate to evaluate basic operation of the Connect2id server, but for proper testing and development you'll definitely do (and a valid hostname also).

1. Server configuration

Edit tomcat/webapps/c2id/WEB-INF/

// The OpenID provider / OAuth 2.0 server URL
op.issuer = http://[server-host]:8080/c2id

// The OAuth 2.0 server authorisation endpoint
op.authz.endpoint = http://[server-host]:8080/c2id-login

// Allow clients to register and use plain HTTP redirect_uris

Restart the c2id application for the changes to take effect.

If you open the Connect2id server banner page at http://[server-host]:8080/c2id you should see that the endpoint URLs have been updated.

2. Client configuration

2.1 Register a new client

Register a new minimal client at the Connect2id server clients endpoint:

POST /c2id/clients HTTP/1.1
Host: [server-host]
Content-Type: application/json
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

  "redirect_uris" : [ "http://[client-host]:8080/oidc-client/cb" ]

The guide has more examples, e.g. how to set a client name and logo, etc.

Note, the registration request is cleared with the configured master access token for the clients endpoint, passed via the Authorization header:

Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

The redirect_uris must include the callback URL of the demo client where authorisation responses from the Connect2id server will be directed. The host and the client path must match exactly.

On registration success the Connect2id server will return the client details. Copy the following parameters:

  • client_id -- Generated unique ID for the client.
  • client_secret -- The secret for basic authentication. The Connect2id server supports more secure mechanisms and we recommend you use them.

The client details can be queried at any time with an HTTP GET call on the resource specified by the registration_client_uri, using the master access token or the token in the registration_access_token (limits access to the registered client only, for self-service purposes).

2.1 Reconfigure the demo OpenID Connect client

Edit tomcat/webapps/oidc-client/WEB-INF/ to set the new Connect2id server endpoints and the client_id, client_secret and client host for the callback URL:

# The default OpenID Connect Provider (OP) properties #
op.iss = http://[server-host]:8080/c2id
op.jwks_uri = http://[server-host]:8080/c2id/jwks.json
op.authz_uri = http://[server-host]:8080/c2id-login
op.token_uri = http://[server-host]:8080/c2id/token
op.userinfo_uri = http://[server-host]:8080/c2id/userinfo

# The default OpenID Connect Client (RP) properties #
rp.client_id = [client_id]
rp.client_secret = [client_secret]
rp.redirect_uri = http://[client-host]:8080/oidc-client/cb

Restart the oidc-client application for the changes to take effect.

If you open the demo client page at http://[client-host]:8080/oidc-client/ and examine the "OpenID provider details" and "Client details" tabs you should see the new values.