Supporting OIDC provider login in developer toolkit environment

You can configure the application to support OIDC provider login from the developer toolkit environment.

Procedure

  1. Collect the data of the user by configuring the following properties:
    1. OIDC_PROVIDER name
    2. OIDC_CLIENTID and OIDC_SECRET
    3. OIDC_DISCOVERYURL
    4. OIDC_LOGOUTURL
    5. OIDC_UNIQUECLAIM and OIDC_SECONDARYID

      In ADFS, if OIDC_UNIQUECLAIM and OIDC_SECONDARYID are not provided, the default values are sub and email.

    Note: OIDC_LOGOUTURL and OIDC_UNIQUECLAIM and OIDC_SECONDARYID properties are applicable only for ADFS. For other OIDC providers, yfs.properties must be overridden for logout, secondaryId, and UniqueClaim. For example, yfs.yfs.ibmid.provisioner.google.secondaryid=emailId.
  2. Add the properties and set the OIDC_ENABLE flag to Y in the om-compose.properties file.
    • OIDC_ENABLE – Y or N.
    • OIDC_PROVIDER – ibmid, adfs, google, or okta.
    • OIDC_CLIENTID
    • OIDC_SECRET
    • OIDC_DISCOVERYURL
    The following properties are applicable only for ADFS:
    • OIDC_LOGOUTURL
    • OIDC_UNIQUECLAIM – Default value is sub.
    • OIDC_SECONDARYID – Default value is email.
    Note: The OIDC_PROVIDER placeholder value is used as the id attribute in the OpenIdConnectClient element of the server.xml file. You must configure the redirect URL according to the value that is provided for OIDC_PROVIDER.
    For example, if OIDC_PROVIDER=ibmid, then configure the following redirect URL: 
    <?xml version="1.0" encoding="UTF-8"?> <openidConnectClient id="ibmid" clientId="MDIhNiFODI900" clientSecret="YjcWQDwYjcZS00" discoveryEndpointUrl="https://login.ibm.com/oidc/endpoint/default/.well-known/openid-configuration" scope="openid" redirectToRPHostAndPort="https://localhost:9443/oidcclient/redirect/ibmid" httpsRequired="true" signatureAlgorithm="RS256" authFilterRef="myAuthFilter" />
  3. Optional: To enable OIDC login for Order Hub add the following additional property to the om-compose.properties file: 
    OIDC_REDIRECT_TO_RP_HOST_PORT=https://<hostname of the machine where appserver is located at>:9443
  4. Apply the configuration.
    1. Import the certificate with the .cer or .crt extension by placing the certificate under the certificates directory of the developer toolkit.
    2. Build EAR and redeploy. This deployment applies only to setup or setup-upg commands of the developer toolkit. For more information, see Docker Compose commands reference.