Identity Gateway 7.2

Single sign-on with OpenID Connect and the ForgeRock Identity Cloud

This example sets up ForgeRock Identity Cloud as an OpenID Connect identity provider, and Identity Gateway as a relying party.

For more information about Identity Gateway and OpenID Connect, see Act as an OpenID Connect relying party.

This procedure uses the Resource Owner Password Credentials grant type. According to information in the The OAuth 2.0 Authorization Framework, minimize use of this grant type and utilize other grant types whenever possible.

Before you start, prepare Identity Cloud, IG, and the sample application as described in Example installation for this guide.

  1. Set up Identity Cloud:

    1. Log in to Identity Cloud as an administrator.

    2. Go to group Identities > Manage > settings_system_daydream Alpha realm - Users, and add a user with the following values:

      • Username: demo

      • First name: demo

      • Last name: user

      • Email Address: demo@example.com

      • Password: Ch4ng3!t

    3. Make sure that you are managing the alpha realm. If not, click the current realm at the top of the screen, and switch realm.

    4. Add a web application:

      1. In the platform console, click Applications > Add Application > Web, and add a web application with the following values:

        • Client ID: oidc-client

        • Client Secret: password

      2. In General Settings on the application page, add the following values:

        • Sign-in URLs: http://ig.example.com:8080/home/id_token/callback

        • Grant Types: Authorization Code, Resource owner Password Credentials

        • Scopes: openid, profile, mail

      3. Click Show advanced settings > Authentication, and click Implied Consent:

        The resource owner is not asked for consent during authorization flows.

  2. Set up Identity Gateway:

    1. Set an environment variable for the oidc-client password, and then restart IG:

      $ export CLIENT_SECRET_ID='cGFzc3dvcmQ='
    1. Add the following route to IG, to serve .css and other static resources for the sample application:

      • Linux

      • Windows

      $HOME/.openig/config/routes/static-resources.json
      %appdata%\OpenIG\config\routes\static-resources.json
      {
        "name" : "sampleapp-resources",
        "baseURI" : "http://app.example.com:8081",
        "condition": "${find(request.uri.path,'^/css')}",
        "handler": "ReverseProxyHandler"
      }
    2. Add the following route to Identity Gateway, replacing the value for the property amInstanceUrl:

      • Linux

      • Windows

      $HOME/.openig/config/routes/oidc-idc.json
      %appdata%\OpenIG\config\routes\oidc-idc.json
      {
        "name": "oidc-idc",
        "baseURI": "http://app.example.com:8081",
        "condition": "${find(request.uri.path, '^/home/id_token')}",
        "properties": {
          "amInstanceUrl": "https://myTenant.forgeblocks.com/am"
        },
        "heap": [
          {
            "name": "SystemAndEnvSecretStore-1",
            "type": "SystemAndEnvSecretStore"
          }
        ],
        "handler": {
          "type": "Chain",
          "config": {
            "filters": [
              {
                "name": "AuthorizationCodeOAuth2ClientFilter-1",
                "type": "AuthorizationCodeOAuth2ClientFilter",
                "config": {
                  "clientEndpoint": "/home/id_token",
                  "failureHandler": {
                    "type": "StaticResponseHandler",
                    "config": {
                      "status": 500,
                      "headers": {
                        "Content-Type": [
                          "text/plain"
                        ]
                      },
                      "entity": "Error in OAuth 2.0 setup."
                    }
                  },
                  "registrations": [
                    {
                      "name": "oauth2-client",
                      "type": "ClientRegistration",
                      "config": {
                        "clientId": "oidc-client",
                        "clientSecretId": "client.secret.id",
                        "issuer": {
                          "name": "Issuer",
                          "type": "Issuer",
                          "config": {
                            "wellKnownEndpoint": "&{amInstanceUrl}/oauth2/realms/alpha/.well-known/openid-configuration"
                          }
                        },
                        "scopes": [
                          "openid",
                          "profile",
                          "mail"
                        ],
                        "secretsProvider": "SystemAndEnvSecretStore-1",
                        "tokenEndpointAuthMethod": "client_secret_basic"
                      }
                    }
                  ],
                  "requireHttps": false,
                  "cacheExpiration": "disabled"
                }
              }
            ],
            "handler": "ReverseProxyHandler"
          }
        }
      }

      Notice the following features of the route compared to 07-openid.json in Use AM As a Single OpenID Connect Provider, where Access Management is running locally:

      • The ClientRegistration wellKnownEndpoint points to the Identity Cloud.

  3. Test the setup:

    1. Go to http://ig.example.com:8080/home/id_token. The Identity Cloud login page is displayed.

    2. Log in to Identity Cloud as user demo, password Ch4ng3!t. The home page of the sample application is displayed.