- What is OpenID Connect?
- Create OpenID Client Application using Auth0
- A Basic Java Web Application to Understand OpenID Connect using Auth0 - You Are Here!
- What is JWT?
- Java Auth0 OpenID Connect JWT Signature Verification
|
A
|
Authorization Endpoint
|
https://mifraz.auth0.com/authorize
|
|
B
|
Token Endpoint
|
https://mifraz.auth0.com/oauth/token
|
|
C
|
Redirection Endpoint (Callback URL)
|
http://localhost:9999/oauth/access
|
The list of endpoints is available in the advanced settings section of applications settings.
Further, the redirection endpoint must be pre-registered with the auth0 identity server as the Allowed Callback URL.
1. User clicks on Login with Auth0
The source code of the above button is as follows. The REST Service at /login-auth0 will be invoked once the user clicks on ‘Login with Auth0’
2. Once the user clicks on the above button, the following REST Service will be invoked and the authentication request will be sent to the authorization server.
@RequestMapping(value = "/login-auth0", method=RequestMethod.GET)
public RedirectView processForm1() {
RedirectView redirectView = new RedirectView();
//Prepare the OAuth Authorization URL
String url = auth.getAuthorizationURI()+
"?audience="+auth.getAudienceURI()+
"&scope="+client.getScope()+
"&response_type=code"+
"&client_id="+client.getClientID()+
"&redirect_uri="+client.getRedirectURI()+
"&state=123";
redirectView.setUrl(url);
return redirectView;
}
All the parameters for the above requests are pre-configured in application.yml and can be accessed using the classes AuthProperties.java and ClientProperties.java.
The Auth0 identity server requires the Audience URI as well for the authentication request. We can get the Audience URI in the API settings.
3. As the response of the above request, the user consent page will be shown to the user to authorize the client application. (The login page will be shown before the user consent page If the user is not logged in)
4. Once the user authorized the client application, the authorization code will be sent to the client application through the specified callback URL/ redirection URL (http://localhost:9999/oauth/access).
http://localhost:9999/oauth/access?state=123&code=8b19c95f860fe61c281cb6d
The received code will be extracted in the same REST service (/oauth/access)
//Get the response received from auth0 after the user authorization
@RequestMapping(value = "/oauth/access", method = RequestMethod.GET)
public RedirectView authUser(ModelMap model, @RequestParam(value="code",required=true) String authCode) {
// Step 5 and 6
// (Request user information providing the received authorization code)
}
5. Request user information from the authorization server by providing the authorization code.
String response = getAuthResponse(authCode);
The getAuthResponse() method sends a POST request to the Token Endpoint (https://mifraz.auth0.com/oauth/token) of the authorization server including the necessary parameters in the POST body as follows.
//OAuth Token URL
String auth_url = auth.getTokenURI();
//Prepare POST Request Body
String POST_PARAMS = "grant_type=authorization_code"+
"&client_id="+client.getClientID()+
"&client_secret="+client.getClientSecret()+
"&code="+authCode+
"&redirect_uri="+client.getRedirectURI();
All the parameters for the above requests are pre-configured in application.yml and can be accessed using the classes AuthProperties.java and ClientProperties.java.
6. The response of the above POST request will be handled by the method getAuthResponse() itself and the response will be returned as String.
The response will include the followings
The part of the raw response is shown below.
The id_token contains the requested authenticated user information in JWT encoded format. The JWT contains the header, body and the signature separated by dots (X.Y.Z). If we examine the above id_token, we can clearly identify the 3 parts of JWT encoded id_token separated by dots. To further understand what JWT is, Refer This.
The method getUserData() extracts the id_token from the response and returns the body (PAYLOAD) of the JWT encoded id_token in JSON format.
