From 402e7aebd20322ef465a3805d3834c7174bc9bbc Mon Sep 17 00:00:00 2001 From: Madhumita Subramaniam Date: Tue, 15 Nov 2022 13:36:02 +0530 Subject: [PATCH] fix: #2487 - SIWA and SIWG (Sign in with Apple-Google), moved to script-catalog (#2983) --- docs/admin/recipes/social-login-google.md | 109 ---------- docs/admin/recipes/social-login.md | 10 +- .../AppleExternalAuthenticator.py | 0 .../apple-external-authenticator/README.md} | 23 +-- .../fido2-external-authenticator/README.md | 34 ++-- .../google-external-authenticator/README.md | 109 +++++++++- .../GoogleExternalAuthenticator.py | 191 ------------------ 7 files changed, 139 insertions(+), 337 deletions(-) delete mode 100644 docs/admin/recipes/social-login-google.md rename {jans-linux-setup/jans_setup/static/extension/person_authentication => docs/script-catalog/person_authentication/apple-external-authenticator}/AppleExternalAuthenticator.py (100%) rename docs/{admin/recipes/social-login-apple.md => script-catalog/person_authentication/apple-external-authenticator/README.md} (86%) delete mode 100644 jans-linux-setup/jans_setup/static/extension/person_authentication/GoogleExternalAuthenticator.py diff --git a/docs/admin/recipes/social-login-google.md b/docs/admin/recipes/social-login-google.md deleted file mode 100644 index 13391e86029..00000000000 --- a/docs/admin/recipes/social-login-google.md +++ /dev/null @@ -1,109 +0,0 @@ ---- -tags: - - administration - - recipes ---- - -## Social Login with Google - -An out-of-the-box feature, the Google Authentication script is a `PersonAuthenticationType` script which enables a user to sign-in using Google credentials. Google's OAuth 2.0 APIs are used for this. After users authenticate using their Google credentials, their Google credentials are provisioned into the Jans-auth server. - -## Prerequisites - -- A Jans-auth Server (installation instructions [here](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup#readme)) -- The [Google authentication script](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup/jans_setup/static/extension/person_authentication/GoogleExternalAuthenticator.py) (included in the default Jans-auth Server distribution); -- A [Google account](https://accounts.google.com/). -- Google API jars namely [google-api-client](https://repo1.maven.org/maven2/com/google/api-client/google-api-client/1.33.2/google-api-client-1.33.2.jar), [google-oauth-client](https://repo1.maven.org/maven2/com/google/oauth-client/google-oauth-client/1.33.1/google-oauth-client-1.33.1.jar) and [google-http-client-jackson2](https://repo1.maven.org/maven2/com/google/http-client/google-http-client-jackson2/1.41.5/google-http-client-jackson2-1.41.5.jar) added to jans-auth-server - - -## Configuring Google API keys: - -On the Google side, you need OAuth 2.0 credentials, including a client ID and client secret, to authenticate users and gain access to Google's APIs. -The following steps explain how to create credentials for your project. Your applications can then use the credentials to access APIs that you have enabled for that project. - -1. Go to the [Credentials page](https://console.developers.google.com/apis/credentials). -2. Click Create credentials > OAuth client ID. -3. Select the Web application application type. -4. Name your OAuth 2.0 client and click Create -5. Configure **Authorized redirect URIs** , click **ADD URI** to add the Janssen's `https://my.auth.server/postlogin.htm` where the control returns back to the AS. -6. Configure **Authorized JavaScript origins**, click **ADD URI** to add Janssen's FQDN `https://my.auth.server` because we are using [Google Client JS](https://developers.google.com/identity/gsi/web/guides/client-library) and it needs valid JS origin. - -## Configure jans-auth server - -### Download Google Client JSON file -On the following page, https://console.cloud.google.com/apis/credentials, you will see a table containing your recently created client. Click on the download button and download the JSON file containing details of the Client. -Place this file in `/etc/certs/google_client_secret.json` - -### Add Google libraries to jans-auth-server - -1. Copy the library files to `/opt/jans/jetty/jans-auth/custom/libs` -- `cd /opt/jans/jetty/jans-auth/custom/libs ` -- `wget https://repo1.maven.org/maven2/com/google/api-client/google-api-client/1.33.2/google-api-client-1.33.2.jar -O google-api-client-1.33.2.jar` -- `wget https://repo1.maven.org/maven2/com/google/oauth-client/google-oauth-client/1.33.1/google-oauth-client-1.33.1.jar -O google-oauth-client-1.33.1.jar` -- `wget https://repo1.maven.org/maven2/com/google/http-client/google-http-client-jackson2/1.41.5/google-http-client-jackson2-1.41.5.jar -O google-http-client-jackson2-1.41.5.jar` - - -2. Edit `/opt/jans/jetty/jans-auth/webapps/oxauth.xml` and add the following line: - - ``` - ./custom/libs/google-oauth-client-1.33.1.jar,./custom/libs/google-api-client-1.33.2.jar,./custom/libs/google-http-client-jackson2-1.41.5.jar - ``` - -3. Restart the `jans-auth` service -` systemctl status jans-auth ` - -### Properties - -The custom script has the following properties: - -| Property | Description | Input value | -|-----------------------|-------------------------------|---------------| -|`google_creds_file` |Details of the client created on https://console.cloud.google.com/apis/credentials. See [this](https://github.com/maduvena/jans-docs/wiki/Google-Authentication-Script/_edit#download-google-client-json-file) step. | `/etc/certs/google_client_secret.json`| - -To update this setting in Jans persistence, follow this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script) - -### Enable Sign-in with Google Authentication script -By default, users will get the default authentication mechanism as specified above. However, using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism. - -Obtain the json contents of `google` custom script by using a jans-cli command like get-config-scripts-by-type, get-config-scripts-by-inum etc. -``` -e.g : /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-type --url-suffix type:PERSON_AUTHENTICATION , /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-inum --url-suffix inum:6122281b-b55d-4dd0-8115-b098eeeee2b7 -``` -Update the custom script and change the enabled attribute to `true` -Now Google is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect acr_values, applications can now request Google authentication for users. - -!!! Note To make sure `google` has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect configuration by navigating to the following URL: https:///.well-known/openid-configuration. Find "acr_values_supported": and you should see "google". - -### Make Sign-in with Google Script as default authentication script: - -Use this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-default-authentication-method.md) as a reference. - -Steps: -1. Create a file say `google-auth-default.json` with the following contents -``` -{ - "defaultAcr": "google" -} -``` -2.Update the default authentication method to Google Sign-in -``` -/opt/jans/jans-cli/config-cli.py --operation-id put-acrs --data /tmp/google-auth-default.json -``` - - -:memo: **NOTE** - -To make sure `google` has been enabled successfully as a default authentication method, you can check your Gluu Server's OpenID Connect configuration by navigating to the following URL: `https:///.well-known/openid-configuration`. Find `"acr_values_supported":` and you should see `"google"`. - -## Test the feature - Sign-in with Google -To test , enter the complete URL for authorization in a browser or create a simple webmapage with a link that simulates the user sign-in attempt. If the server is configured properly, the first page for the selected authentication method will be displayed to the user. - -An example of a complete URL looks like this - -``` -https:///jans-auth/authorize.htm?response_type=code&redirect_uri=https:///admin&client_id=&scope=openid+profile+email+user_name&state=faad2cdjfdddjfkdf&nonce=dajdffdfsdcfff -``` - - - - - \ No newline at end of file diff --git a/docs/admin/recipes/social-login.md b/docs/admin/recipes/social-login.md index d0920b0f2e8..1a6e01cbed8 100644 --- a/docs/admin/recipes/social-login.md +++ b/docs/admin/recipes/social-login.md @@ -4,17 +4,17 @@ tags: - recipes --- -## Implementing Social logins +## Implementing Social logins You can use a `PersonAuthenticationType` script to allow users to sign using credentials from popular **Social Identity providers** or **Inbound Identity Providers** like Facebook, Google and Apple. After users authenticate, we provision their Social Identity Provider credentials into the Jans-auth server. No additional username, password, credentials are needed for this user. 1. Facebook -2. [Google](https://github.com/JanssenProject/jans/blob/main/docs/admin/recipes/social-login-google.md) -3. [Apple](https://github.com/JanssenProject/jans/blob/main/docs/admin/recipes/social-login-apple.md) +2. [Google](../../script-catalog/person-authentication/google-external-authenticator/README.md) +3. [Apple](../../script-catalog/person-authentication/apple-external-authenticator/README.md) -Following is a high-level diagram depicting a typical flow - user authentication on a Social Identity Platform and subsequent user provisioning on Jans-Auth server. +Following is a high-level diagram depicting a typical flow - user authentication on a Social Identity Platform and subsequent user provisioning on Jans-Auth server. You can copy paste this sequence in [https://sequencediagram.org/](https://sequencediagram.org/) ``` -title Social login +title Social login Jans AS<-User agent: 1. Invoke /authorize endpoint Jans AS->User agent: 2. Discovery: Present list of remote IDPs (Google, Apple, FB...) User agent->Jans AS: 3. Select IDP (e.g. click on button) diff --git a/jans-linux-setup/jans_setup/static/extension/person_authentication/AppleExternalAuthenticator.py b/docs/script-catalog/person_authentication/apple-external-authenticator/AppleExternalAuthenticator.py similarity index 100% rename from jans-linux-setup/jans_setup/static/extension/person_authentication/AppleExternalAuthenticator.py rename to docs/script-catalog/person_authentication/apple-external-authenticator/AppleExternalAuthenticator.py diff --git a/docs/admin/recipes/social-login-apple.md b/docs/script-catalog/person_authentication/apple-external-authenticator/README.md similarity index 86% rename from docs/admin/recipes/social-login-apple.md rename to docs/script-catalog/person_authentication/apple-external-authenticator/README.md index 8064ebe6d7c..eb6711611b5 100644 --- a/docs/admin/recipes/social-login-apple.md +++ b/docs/script-catalog/person_authentication/apple-external-authenticator/README.md @@ -4,27 +4,27 @@ tags: - recipes --- -## Social Login with Apple +## Social Login with Apple An out-of-the-box feature, the Sign-in with Apple Authentication script is a `PersonAuthenticationType` script which enables a user to sign-in using Apple credentials. After users authenticate using their Apple credentials, their Apple credentials are provisioned into the Jans-auth server. -## Prerequisites +## Prerequisites -- A Jans-auth Server (installation instructions [here](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup#readme)) -- The [Sign-in with Apple authentication script](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup/jans_setup/static/extension/person_authentication/AppleExternalAuthenticator.py) (included in the default Jans-auth Server distribution); +- A Jans-auth Server installation +- The [Sign-in with Apple authentication script](./AppleExternalAuthenticator.py) (included in the default Jans-auth Server distribution); - An [Apple developer account](https://developer.apple.com/). ## Configurations at Apple Identity Provider: -You will need to configure a service id, linked to your App identifier. For each website that uses Sign In with Apple, register a services identifier (Services ID) and configure your domain and return URL. +You will need to configure a service id, linked to your App identifier. For each website that uses Sign In with Apple, register a services identifier (Services ID) and configure your domain and return URL. 1. Under `Certificates, Identifiers and Profiles` --> `Identifiers` --> Click on the `+` button 2. In the `Register a new identifier` select `Service ID` 3. After filling out the description and identifier name, save the Service ID 4. Now edit the saved Service ID and enable the `Sign in with Apple` checkbox and click `Configure` button -5. Configure the Janssen's server's callback url `https:///postlogin.htm` as a `Website URL` +5. Configure the Janssen's server's callback url `https:///postlogin.htm` as a `Website URL` ## Configure jans-auth server -Configure the custom script: +Configure the custom script: ### Properties The custom script has the following properties: @@ -34,7 +34,7 @@ The custom script has the following properties: |`apple_client_id` |Name of Service ID on developer.apple.com. | `com.company.name`| |`apple_jwks` | Apple’s public JWK to validate Apple Identity Token | `https://appleid.apple.com/auth/keys`| -To update this setting in Jans persistence, follow this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script) +To update this setting in Jans persistence, follow this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script) ### Enable Sign-in with Apple Authentication script By default, users will get the default authentication mechanism as specified above. However, using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism. @@ -67,7 +67,7 @@ Steps: :memo: **NOTE** -To make sure `apple` has been enabled successfully as a default authentication method, you can check your Janssen Server's OpenID Connect configuration by navigating to the following URL: `https:///.well-known/openid-configuration`. Find `"acr_values_supported":` and you should see `"apple"`. +To make sure `apple` has been enabled successfully as a default authentication method, you can check your Janssen Server's OpenID Connect configuration by navigating to the following URL: `https:///.well-known/openid-configuration`. Find `"acr_values_supported":` and you should see `"apple"`. ## Test the feature - Sign-in with Apple To test , enter the complete URL for authorization in a browser or create a simple webpage with a link that simulates the user sign-in attempt. If the server is configured properly, the first page for the selected authentication method will be displayed to the user. @@ -76,8 +76,3 @@ An example of a complete URL looks like this - ``` https:///jans-auth/authorize.htm?response_type=code&redirect_uri=https:///admin&client_id=&scope=openid+profile+email+user_name&state=faad2cdjfdddjfkdf&nonce=dajdffdfsdcfff ``` - - - - - \ No newline at end of file diff --git a/docs/script-catalog/person_authentication/fido2-external-authenticator/README.md b/docs/script-catalog/person_authentication/fido2-external-authenticator/README.md index edeb4b7ebb4..7e787382929 100644 --- a/docs/script-catalog/person_authentication/fido2-external-authenticator/README.md +++ b/docs/script-catalog/person_authentication/fido2-external-authenticator/README.md @@ -6,13 +6,13 @@ FIDO2 is comprised of the [W3C’s Web Authentication specification (WebAuthn)](https://www.w3.org/TR/webauthn/) and FIDO’s corresponding [Client-to-Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html). WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services. This document explains how to use the Janssen Auth Server's built-in -[FIDO2 interception script](https://github.com/JanssenProject/jans/blob/main/jans-linux-setup/jans_setup/static/extension/person_authentication/Fido2ExternalAuthenticator.py) -to implement a two-step, two-factor authentication (2FA) with username / password as the first step, and any FIDO2 device as the second step. +[FIDO2 interception script](https://github.com/JanssenProject/jans/blob/main/jans-linux-setup/jans_setup/static/extension/person_authentication/Fido2ExternalAuthenticator.py) +to implement a two-step, two-factor authentication (2FA) with username / password as the first step, and any FIDO2 device as the second step. ## Prerequisites - A Janssen Server ([installation instructions](https://github.com/JanssenProject/jans#installation)) - [FIDO2 interception script](https://github.com/JanssenProject/jans/blob/main/docs/script-catalog/person_authentication/fido2-external-authenticator/Fido2ExternalAuthenticator.py) (included in the default Janssen Server distribution); -- At least one FIDO2 device for testing, like one of the devices [listed below](#fido2-devices). +- At least one FIDO2 device for testing, like one of the devices [listed below](#fido2-devices). ### FIDO2 devices Some well known FIDO2 devices and manufacturers include: @@ -24,7 +24,7 @@ Some well known FIDO2 devices and manufacturers include: - [AuthenTrend](https://authentrend.com/) - [Apple's built-in Touch ID](https://support.apple.com/en-in/guide/mac-help/mchl16fbf90a/mac) -[Purchase FIDO2 devices on Amazon](https://www.amazon.com/s/ref=nb_sb_noss/146-0120855-4781335?url=search-alias%3Daps&field-keywords=fido2). Or, check [FIDO's certified products](https://fidoalliance.org/certification/fido-certified-products/) for a comprehensive list of FIDO2 devices (sort by `Specification` == `FIDO2`). +[Purchase FIDO2 devices on Amazon](https://www.amazon.com/s/ref=nb_sb_noss/146-0120855-4781335?url=search-alias%3Daps&field-keywords=fido2). Or, check [FIDO's certified products](https://fidoalliance.org/certification/fido-certified-products/) for a comprehensive list of FIDO2 devices (sort by `Specification` == `FIDO2`). ## Properties The script has the following properties @@ -37,18 +37,18 @@ The script has the following properties By default, users will get the default authentication mechanism as specified above. However, **using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism**. -1. Obtain the json contents of `fido2` custom script by using a jans-cli command like `get-config-scripts-by-type`, `get-config-scripts-by-inum` etc. +1. Obtain the json contents of `fido2` custom script by using a jans-cli command like `get-config-scripts-by-type`, `get-config-scripts-by-inum` etc. e.g : `/opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-type --url-suffix type:PERSON_AUTHENTICATION` , `/opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-inum --url-suffix inum:6122281b-b55d-4dd0-8115-b098eeeee2b7` 2. [Update the custom script](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script) and change the `enabled` attribute to `true` -Now FIDO2 is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect `acr_values`, applications can now request FIDO2 authentication for users. +Now FIDO2 is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect `acr_values`, applications can now request FIDO2 authentication for users. -!!! Note - To make sure FIDO2 has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect - configuration by navigating to the following URL: `https:///.well-known/openid-configuration`. - Find `"acr_values_supported":` and you should see `"fido2"`. +!!! Note + To make sure FIDO2 has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect + configuration by navigating to the following URL: `https:///.well-known/openid-configuration`. + Find `"acr_values_supported":` and you should see `"fido2"`. ## Enable FIDO2 Script as default authentication script: Use this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-default-authentication-method.md) as a reference. @@ -73,24 +73,24 @@ Below is an illustration of the Janssen Server's default FIDO2 login page: ![fido2](https://github.com/JanssenProject/jans/raw/main/docs/assets/image_fido2.png) -The design is being rendered from the [FIDO2 xhtml page](https://github.com/JanssenProject/jans/blob/main/jans-auth-server/server/src/main/webapp/auth/fido2/login.xhtml). To customize the look and feel of this page, follow the [customization guide](https://jans.io/docs/admin/developer/customization/customize-web-pages/). +The design is being rendered from the [FIDO2 xhtml page](https://github.com/JanssenProject/jans/blob/main/jans-auth-server/server/src/main/webapp/auth/fido2/login.xhtml). To customize the look and feel of this page, follow the [customization guide](https://jans.io/docs/admin/developer/customization/customize-web-pages/). -## Using FIDO2 tokens +## Using FIDO2 tokens ### Credential enrollment -FIDO2 device enrollment happens during the first authentication attempt. +FIDO2 device enrollment happens during the first authentication attempt. ### Subsequent authentications -All subsequent FIDO2 authentications for that user account will require the enrolled FIDO2 key. +All subsequent FIDO2 authentications for that user account will require the enrolled FIDO2 key. ### FIDO2 credential management -A user's FIDO2 devices can be removed by a Janssen administrator in LDAP under the user entry as shown in the below screenshot. +A user's FIDO2 devices can be removed by a Janssen administrator in LDAP under the user entry as shown in the below screenshot. ![fido2](https://github.com/JanssenProject/jans/raw/main/docs/assets/image-fido2-ldap-structure.png) Diagram source in mermaid.live ``` graph TD - + A[ou=jans] --> K(ou=people) K --> K1[inum=....] K1 --> K11[ou=fido2_register] @@ -124,7 +124,7 @@ graph TD K32 --> K321[jansId=....] K32 --> K322[jansId=....] K32 --> K323[jansId=....] - + ``` ### FIDO2 discovery endpoint diff --git a/docs/script-catalog/person_authentication/google-external-authenticator/README.md b/docs/script-catalog/person_authentication/google-external-authenticator/README.md index 73147d7dfda..daae4d9a94c 100644 --- a/docs/script-catalog/person_authentication/google-external-authenticator/README.md +++ b/docs/script-catalog/person_authentication/google-external-authenticator/README.md @@ -1,2 +1,109 @@ -This is a placeholder +--- +tags: + - administration + - recipes +--- +## Social Login with Google + +An out-of-the-box feature, the Google Authentication script is a `PersonAuthenticationType` script which enables a user to sign-in using Google credentials. Google's OAuth 2.0 APIs are used for this. After users authenticate using their Google credentials, their Google credentials are provisioned into the Jans-auth server. + +## Prerequisites + +- A Jans-auth Server (installation instructions [here](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup#readme)) +- The [Google authentication script](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup/jans_setup/static/extension/person_authentication/GoogleExternalAuthenticator.py) (included in the default Jans-auth Server distribution); +- A [Google account](https://accounts.google.com/). +- Google API jars namely [google-api-client](https://repo1.maven.org/maven2/com/google/api-client/google-api-client/1.33.2/google-api-client-1.33.2.jar), [google-oauth-client](https://repo1.maven.org/maven2/com/google/oauth-client/google-oauth-client/1.33.1/google-oauth-client-1.33.1.jar) and [google-http-client-jackson2](https://repo1.maven.org/maven2/com/google/http-client/google-http-client-jackson2/1.41.5/google-http-client-jackson2-1.41.5.jar) added to jans-auth-server + + +## Configuring Google API keys: + +On the Google side, you need OAuth 2.0 credentials, including a client ID and client secret, to authenticate users and gain access to Google's APIs. +The following steps explain how to create credentials for your project. Your applications can then use the credentials to access APIs that you have enabled for that project. + +1. Go to the [Credentials page](https://console.developers.google.com/apis/credentials). +2. Click Create credentials > OAuth client ID. +3. Select the Web application application type. +4. Name your OAuth 2.0 client and click Create +5. Configure **Authorized redirect URIs** , click **ADD URI** to add the Janssen's `https://my.auth.server/postlogin.htm` where the control returns back to the AS. +6. Configure **Authorized JavaScript origins**, click **ADD URI** to add Janssen's FQDN `https://my.auth.server` because we are using [Google Client JS](https://developers.google.com/identity/gsi/web/guides/client-library) and it needs valid JS origin. + +## Configure jans-auth server + +### Download Google Client JSON file +On the following page, https://console.cloud.google.com/apis/credentials, you will see a table containing your recently created client. Click on the download button and download the JSON file containing details of the Client. +Place this file in `/etc/certs/google_client_secret.json` + +### Add Google libraries to jans-auth-server + +1. Copy the library files to `/opt/jans/jetty/jans-auth/custom/libs` +- `cd /opt/jans/jetty/jans-auth/custom/libs ` +- `wget https://repo1.maven.org/maven2/com/google/api-client/google-api-client/1.33.2/google-api-client-1.33.2.jar -O google-api-client-1.33.2.jar` +- `wget https://repo1.maven.org/maven2/com/google/oauth-client/google-oauth-client/1.33.1/google-oauth-client-1.33.1.jar -O google-oauth-client-1.33.1.jar` +- `wget https://repo1.maven.org/maven2/com/google/http-client/google-http-client-jackson2/1.41.5/google-http-client-jackson2-1.41.5.jar -O google-http-client-jackson2-1.41.5.jar` + + +2. Edit `/opt/jans/jetty/jans-auth/webapps/oxauth.xml` and add the following line: + + ``` + ./custom/libs/google-oauth-client-1.33.1.jar,./custom/libs/google-api-client-1.33.2.jar,./custom/libs/google-http-client-jackson2-1.41.5.jar + ``` + +3. Restart the `jans-auth` service +` systemctl status jans-auth ` + +### Properties + +The custom script has the following properties: + +| Property | Description | Input value | +|-----------------------|-------------------------------|---------------| +|`google_creds_file` |Details of the client created on https://console.cloud.google.com/apis/credentials. See [this](https://github.com/maduvena/jans-docs/wiki/Google-Authentication-Script/_edit#download-google-client-json-file) step. | `/etc/certs/google_client_secret.json`| + +To update this setting in Jans persistence, follow this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script) + +### Enable Sign-in with Google Authentication script +By default, users will get the default authentication mechanism as specified above. However, using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism. + +Obtain the json contents of `google` custom script by using a jans-cli command like get-config-scripts-by-type, get-config-scripts-by-inum etc. +``` +e.g : /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-type --url-suffix type:PERSON_AUTHENTICATION , /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-inum --url-suffix inum:6122281b-b55d-4dd0-8115-b098eeeee2b7 +``` +Update the custom script and change the enabled attribute to `true` +Now Google is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect acr_values, applications can now request Google authentication for users. + +!!! Note To make sure `google` has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect configuration by navigating to the following URL: https:///.well-known/openid-configuration. Find "acr_values_supported": and you should see "google". + +### Make Sign-in with Google Script as default authentication script: + +Use this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-default-authentication-method.md) as a reference. + +Steps: +1. Create a file say `google-auth-default.json` with the following contents +``` +{ + "defaultAcr": "google" +} +``` +2.Update the default authentication method to Google Sign-in +``` +/opt/jans/jans-cli/config-cli.py --operation-id put-acrs --data /tmp/google-auth-default.json +``` + + +:memo: **NOTE** + +To make sure `google` has been enabled successfully as a default authentication method, you can check your Gluu Server's OpenID Connect configuration by navigating to the following URL: `https:///.well-known/openid-configuration`. Find `"acr_values_supported":` and you should see `"google"`. + +## Test the feature - Sign-in with Google +To test , enter the complete URL for authorization in a browser or create a simple webmapage with a link that simulates the user sign-in attempt. If the server is configured properly, the first page for the selected authentication method will be displayed to the user. + +An example of a complete URL looks like this - +``` +https:///jans-auth/authorize.htm?response_type=code&redirect_uri=https:///admin&client_id=&scope=openid+profile+email+user_name&state=faad2cdjfdddjfkdf&nonce=dajdffdfsdcfff +``` + + + + + diff --git a/jans-linux-setup/jans_setup/static/extension/person_authentication/GoogleExternalAuthenticator.py b/jans-linux-setup/jans_setup/static/extension/person_authentication/GoogleExternalAuthenticator.py deleted file mode 100644 index 57a48b0dacb..00000000000 --- a/jans-linux-setup/jans_setup/static/extension/person_authentication/GoogleExternalAuthenticator.py +++ /dev/null @@ -1,191 +0,0 @@ -# Janssen Project software is available under the Apache 2.0 License (2004). See http://www.apache.org/licenses/ for full text. -# Copyright (c) 2020, Janssen Project -# -# Author: Madhumita Subramaniam -# - -from io.jans.service.cdi.util import CdiUtil -from io.jans.as.server.security import Identity -from io.jans.model.custom.script.type.auth import PersonAuthenticationType -from io.jans.as.server.service import AuthenticationService, UserService -from io.jans.util import StringHelper -from io.jans.as.server.util import ServerUtil - -from io.jans.as.common.model.common import User -from io.jans.orm import PersistenceEntryManager -from io.jans.as.persistence.model.configuration import GluuConfiguration -from java.math import BigInteger -from java.security import SecureRandom -import java -import sys -import json - - -from java.util import Collections, HashMap, HashSet, ArrayList, Arrays, Date - -from com.google.api.client.googleapis.auth.oauth2 import GoogleIdToken -from com.google.api.client.googleapis.auth.oauth2.GoogleIdToken import Payload -from com.google.api.client.googleapis.auth.oauth2 import GoogleIdTokenVerifier - -from com.google.api.client.http.javanet import NetHttpTransport; -from com.google.api.client.json.jackson2 import JacksonFactory; - - -class PersonAuthentication(PersonAuthenticationType): - def __init__(self, currentTimeMillis): - - - self.currentTimeMillis = currentTimeMillis - - def init(self, customScript, configurationAttributes): - print "Google. Initialization" - google_creds_file = configurationAttributes.get("google_creds_file").getValue2() - # Load credentials from file - f = open(google_creds_file, 'r') - try: - data = json.loads(f.read()) - print data - creds = data["web"] - print creds - except: - print "Google. Initialization. Failed to load creds from file:", google_creds_file - print "Exception: ", sys.exc_info()[1] - - return False - finally: - f.close() - - self.client_id = str(creds["client_id"]) - self.project_id = str(creds["project_id"]) - self.auth_uri = str(creds["auth_uri"]) - self.token_uri = str(creds["token_uri"]) - self.auth_provider_x509_cert_url = str(creds["auth_provider_x509_cert_url"]) - self.redirect_uris = str(creds["redirect_uris"]) - self.javascript_origins = str(creds["javascript_origins"]) - print "Google. Initialized successfully" - return True - - def destroy(self, configurationAttributes): - print "Google. Destroy" - print "Google. Destroyed successfully" - return True - - def getAuthenticationMethodClaims(self, requestParameters): - return None - - def getApiVersion(self): - return 11 - - def isValidAuthenticationMethod(self, usageType, configurationAttributes): - return True - - def getAlternativeAuthenticationMethod(self, usageType, configurationAttributes): - return None - - - def authenticate(self, configurationAttributes, requestParameters, step): - authenticationService = CdiUtil.bean(AuthenticationService) - - if (step == 1): - print "Google. Authenticate for step 1" - identity = CdiUtil.bean(Identity) - - googleCred = ServerUtil.getFirstValue(requestParameters, "credential") - if googleCred is not None: - googleIdToken = ServerUtil.getFirstValue(requestParameters, "credential") - google_Id = self.verifyIDToken(googleIdToken) - # if user doesnt exist in persistence, add - foundUser = self.findUserByGoogleId(google_Id) - if foundUser is None: - foundUser = User() - foundUser.setAttribute("jansExtUid", "passport-google:"+google_Id) - foundUser.setAttribute(self.getLocalPrimaryKey(),google_Id) - - userService = CdiUtil.bean(UserService) - result = userService.addUser(foundUser, True) - foundUser = self.findUserByGoogleId(google_Id) - - logged_in = authenticationService.authenticate(foundUser.getUserId()) - return logged_in - - else: - credentials = identity.getCredentials() - user_name = credentials.getUsername() - user_password = credentials.getPassword() - - logged_in = False - if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): - logged_in = authenticationService.authenticate(user_name, user_password) - - return logged_in - else: - print "Google. Authenticate Error" - return False - - def verifyIDToken(self, googleIdToken): - verifier = GoogleIdTokenVerifier.Builder(NetHttpTransport(), JacksonFactory()).setAudience(Collections.singletonList(self.client_id)).build() - # the GoogleIdTokenVerifier.verify() method verifies the JWT signature, the aud claim, the iss claim, and the exp claim. - idToken = verifier.verify(googleIdToken) - if idToken is not None: - payload = idToken.getPayload() - userId = payload.getSubject() - print "User ID: %s" % userId - - #email = payload.getEmail() - #emailVerified = Boolean.valueOf(payload.getEmailVerified()) - #name = str( payload.get("name")) - #pictureUrl = str(payload.get("picture")) - #locale = str( payload.get("locale")) - #familyName = str( payload.get("family_name")) - #givenName = str( payload.get("given_name")) - return userId - - else : - print "Invalid ID token." - return None - - def findUserByGoogleId(self, googleId): - userService = CdiUtil.bean(UserService) - return userService.getUserByAttribute("jansExtUid", "passport-google:"+googleId) - - def getLocalPrimaryKey(self): - entryManager = CdiUtil.bean(PersistenceEntryManager) - config = GluuConfiguration() - config = entryManager.find(config.getClass(), "ou=configuration,o=jans") - #Pick (one) attribute where user id is stored (e.g. uid/mail) - # primaryKey is the primary key on the backend AD / LDAP Server - # localPrimaryKey is the primary key on Gluu. This attr value has been mapped with the primary key attr of the backend AD / LDAP when configuring cache refresh - uid_attr = config.getIdpAuthn().get(0).getConfig().findValue("localPrimaryKey").asText() - print "Casa. init. uid attribute is '%s'" % uid_attr - return uid_attr - - def prepareForStep(self, configurationAttributes, requestParameters, step): - if (step == 1): - print "Google. Prepare for Step 1" - identity = CdiUtil.bean(Identity) - identity.setWorkingParameter("gclient_id",self.client_id) - return True - else: - return False - - def getExtraParametersForStep(self, configurationAttributes, step): - return None - - def getCountAuthenticationSteps(self, configurationAttributes): - return 1 - - def getPageForStep(self, configurationAttributes, step): - - if(step == 1): - return "/auth/google/login.xhtml" - return "" - - def getNextStep(self, configurationAttributes, requestParameters, step): - return -1 - - def getLogoutExternalUrl(self, configurationAttributes, requestParameters): - print "Get external logout URL call" - return None - - def logout(self, configurationAttributes, requestParameters): - return True