OCI IAM Authentication using OpenID Connect

1
0
Send lab feedback

OCI Identity and Access Management

Oracle Cloud Infrastructure Identity and Access Management (IAM) provides identity and access management features such as authentication, single sign-on (SSO), and identity lifecycle management for Oracle Cloud as well as Oracle and non-Oracle applications, whether SaaS, cloud-hosted, or on-premises. Employees, business partners, and customers can access applications at any time, from anywhere, and on any device in a secure manner.

Administrators and users can use IAM to help them effectively and securely create, manage, and use a cloud-based identity management environment without worrying about setting up any infrastructure or platform details. To learn more, please follow this link .

Overview

Estimated Time to complete the workshop: 90 minutes

This workshop dedicated showcase OCI IAM OpenID Connect integration Functionalities

During this session, you'll use different resources to interact with these VMs:

  • OCI Cloud Console
  • Command Line (CLI)

STEP 1: Log in to OCI

  1. Open the Luna Lab icon located in the desktop. This page contains all the information related to your credentials as well as the compartment that you will be working on.

  2. Click on the OCI Console link. This will open the login screen.

  3. Select Default from identity domains and click Next.

  4. Use the credentials provided within the Luna Lab web page you opened as part of the first step, and click Sign In

  5. Click the General menu on the top left to open up the list of available services.

  6. Select Identity and Security then Domains.

  7. Open the compartment panel and expand the Learners and select OCI_IAM compartment.

STEP 2: Register the Sample Web Application with OCI IAM

The sample web application needs a Client ID and Secret to establish communication with OCI IAM. You also need to configure API permissions that must be granted to the sample web application. This section explains how to register the sample web application with OCI IAM.

  1. In OCI IAM compartment select the Learners domain.

  2. In the Applications page, click Add application.

  3. In the Add Application chooser dialog, click Confidential Application, And click button Launch Workflow.

  4. Populate the Details pane as follows, and then click Next.

    SDK Web Application

    • Name: Your Initials_web_app
    • Description: OCI IAM SDK Web Application

    • Display in My Apps: Checked
    • User can request access: Checked

  5. In the Configure OAuth pane, select Configure this application as a client now, and then populate the fields of this pane, as follows:

    • Allowed Grant Types: Select Client Credentials and Authorization Code.
    • Allow HTTP URLs: Select this check box. The sample application works in non-HTTPS mode.
    • Redirect URL: http://localhost:3000/callback
    • Post Logout Redirect URL: http://localhost:3000

  6. Check the Add app roles box

  7. Click Add Roles and select Authenticator Client and Me in the list, and then click Add.

  8. Click Next until you reach the last pane. Then click Finish.

  9. To activate the application, click Activate.

  10. From General Information section, take NOTE of the Client ID.

  11. Click the Show secret option to reveal the string. On the Client Secret dialog box, click Copy take NOTE of the key and click Close

  12. Navigate back to the domain settings and in the overview pane and take NOTE of the Domain URL.

Once you have completed these steps, you must capture the following information that will help you to configure your custom app.

- Client ID
- Client Secret
- OCI IAM DOMAIN URL

STEP 3: Provisioning a sample user

  1. Click the General menu on the top left to open up the list of available services.

  2. Select Identity and Security then Domains.

  3. Open the compartment panel and expand the Learners and select OCI_IAM compartment.

  4. In OCI IAM compartment select the Learners domain.

  5. Select Users in the left panel and click on the Create User option.

  6. Fill out the fields as required. Use your business email and check the Use the email address as the username, and as groups only assign the All Domain Users. Click Create. You will receive an email to activate your account, proceed with the account activation for this specific domain. We will use it as part of the next steps.

  7. Back to the OCI console, within the user setting page, select Applications and click on Assign applications.

  8. Click the three dots on the right hand side of the application you have created and select Assigned. This will allow the user to consume the confidential application you created in the previous steps.

  9. Once assgined, you should see the application listed within the user's profile.

STEP 4: Download the SDK in the Sample Web Application

NOTE: You will install the SDK after installing the other third-party libraries required for this lab.

  1. In OCI IAM console make sure that you are working on your in the Learners domain.

  2. To download the SDK you must click on Settings and Downloads. Scroll down, search for Identity Cloud Service SDK for Node.js and click Download.

  3. The package will be downloaded to to your Downloads directory.

STEP 5: Update the Sample Web Application

Important: The sample web application isn't meant to be published to production and isn't concerned about the language’s specific best practices, such as data handling, patterns, security, and so on. The sole purpose of the sample web application is to address the recommended approach to integrate OCI IAM and a custom application using the SDK.

In this section, you will update the sample application code to integrate the web applications with OCI IAM's by leveraging the SDK for Node.js programming language.

  1. Download the sample web by copying the following link in the Luna browser
https://objectstorage.ca-toronto-1.oraclecloud.com/p/wtUThYtmcrQ2UX7bplgjZfpD2xKBDJzcweQsLc8d-9UmuY4uVFwMjRdO6xWPyVA5/n/yzukikevdw6w/b/nodejs/o/nodejs.zip

  1. Open a new terminal by opening the Applications menu located on the bottom-left corner, and click on Terminal Emulator

  2. Uncompress the file in your download location using the unzip command. Open a new terminal and run the following commands.

mkdir ~/Downloads/nodejs && mv ~/Downloads/nodejs.zip ~/Downloads/nodejs && cd ~/Downloads/nodejs
unzip nodejs.zip

  1. Update the auth.js file with the information captured in STEP 2.
gedit ~/Downloads/nodejs/auth.js

  1. Update the following items

    • ClientID fill in with the client ID
    • ClientSecret fill in with the client secret
    • ClientTenant is the first part of your domain
    • AudienceServiceUrl fill in with the domain URL
 var ids = {
        oracle: {
            "ClientId": "<YOUR CLIENT ID>",
            "ClientSecret": "<YOUR CLIENT SECRET>",
	        "ClientTenant": "<YOUR DOMAIN HOST>",
            "IDCSHost": "https://%tenant%.identity.oraclecloud.com",
            "AudienceServiceUrl" : "<YOUR DOMAIN URL>",
            "TokenIssuer": "https://identity.oraclecloud.com/",
            "scope": "urn:opc:idm:t.user.me openid",
            "logoutSufix": "/oauth2/v1/userlogout",
            "redirectURL": "http://localhost:3000/callback",
            "LogLevel":"warn",
            "ConsoleLog":"True"
        }
    };

    module.exports = ids;

NOTE: The ClientTenant string is the first part of your Domain URL. For example, if your domain URL is idcs-9f120fbb98654835bfc699c83f5b924a.identity.oraclecloud.com:443, The tenant is idcs-9f120fbb98654835bfc699c83f5b924a

NOTE: It is important to update the fields above accordingly before continuing to the next sections.

STEP 6: Run the Sample Web Application

In this section of the tutorial, you will prepare, run, and test the sample web application.

  1. Open a terminal and navigate to the nodejs folder

    cd ~/Downloads/nodejs/

  2. Install all of the necessary modules which are specified in the package.json file.

    npm install

  3. Once the command is completed, you will see the following message: npm WARN nodejs-sdk-oracle-OCI IAM@1.0.0 No repository field.

    NOTE: If the previous command fails to install the packages, run the following command npm install --global windows-build-tools, and then run npm install

  4. Copy the OCI IAM SDK package to the node_modules directory by running the following command

    NOTE: Keep in mind that the version of the SDK may change. Verify the zip file name before executing the command. The current SDK version is nodejs-22.3.77-2209010024

    cp ~/Downloads/nodejs-22.3.77-2209010024.zip ~/Downloads/nodejs/node_modules/

  5. Change to the node_modules directory.

    cd ~/Downloads/nodejs/node_modules

  6. Extract the OCI IAM SDK

    unzip nodejs-22.3.77-2209010024.zip

  7. The source code structure of the sample web application must be similar to the one below.

    ~/nodejs/
    models/
    node_modules/
        ...
        passport-idcs/
            ...
    public/
    routes/
    view/
    app.js
    ...

    NOTE: Make sure to run the npm install command before extracting the OCI IAM Node.js SDK package into the sample web application source code's node_modules folder.

  8. Start the server by running the following command. You need to be within the ~/Downloads/nodejs/ directory.

    npm start

  9. The Server started on port 3000 message appears in the console window.

NOTE: If another service is using port 3000, you must remove the process listening on that port by runnin the kill command.

kill $(lsof -t -i:3000)
  1. Open an incognito Chrome windown, copy and past the following URL, and press Enter.
http://localhost:3000
  1. Click Log in.

  1. In the Login page, click the Oracle red icon.

  1. Provide the credentials of the user you created for in STEP 3.

  1. After you sign in to OCI IAM successfully, the browser will redirected you to the Home. The name of the logged-in user appears at the in the main page.

  2. In the left menu, click My Profile.

  1. Verify that information associated with your profile appears in the center of the page.

NOTE: The information provided is sent to us on a JavaScript Object Notation (JSON) format. JSON is an open standard file format, and data interchange format, that uses human-readable text to store and transmit data objects.

  1. Click Log Out on the left-hand side of the screen. The sample application finalizes the user session and redirects the browser to OCI IAM's logout URL as defined in the OCI IAM application configuration.

  2. After OCI IAM logs the user off, it redirects the user browser to the sample application index page. This behavior happens because the sample application adds two parameters post_logout_redirect_uri and id_token_hint to the OCI IAM logout URL, as per below:

The post_logout_redirect_uri parameter value must match the Post Logout Redirect URL parameter value you set during Register the Sample Web Application with OCI IAM

STEP 7: Testing Single Sign-On capabilities

Let's test OCI IAM Single Sign-On capabilities.

  1. First, close your browser or start a new window on incognito mode.

  2. Open Chrome.

  1. Log in to OCI. You can copy the below URL into chrome.

    https://cloud.oracle.com/?tenant=OSPATRAINING021

  2. Type OSPATRAINING021, select Learners domain, and use the credentials of the user you have created on STEP 3.

  3. Once in the OCI console, open a new tab on the same browser window.

  4. In the new tab, with the Node.js application running, type http://localhost:3000 and click Log in.

  1. In the Login page, click the Oracle red icon.

  1. Because you have already signed in to OCI, the browser will redirect you to the Home page without asking for credentials. The name of the logged-in user appears at the in the main page.

  2. In the left menu, click My Profile.

  1. Verify that information associated with your profile appears in the center of the page. You will see that the information listed there is associated with your user id.

  1. Click Log Out on the left-hand side of the screen. The sample application finalizes the user session and redirects the browser to OCI IAM's logout URL as defined in the OCI IAM application configuration.

STEP 8: Clean-up

  1. Close all your Chrome windows.

  2. Open the Luna Lab icon located in the desktop. This page contains all the information related to your credentials as well as the compartment that you will be working on.

  3. Click on the OCI Console link. This will open the login screen.

  4. Select Default from identity domains and click Next.

  5. Use the credentials provided within the Luna Lab web page you opened as part of the first step, and click Sign In

  6. Click the General menu on the top left to open up the list of available services.

  7. Select Identity and Security then Domains.

  8. Open the compartment panel and expand the Learners and select OCI_IAM compartment.

  9. In OCI IAM compartment select the Learners domain.

  10. Select Users in the left panel and delete your user. When asking for confirmation select Yes.

  11. Select Applications in the left panel, click in the application you created, and deactivate the application you from the Actions menu. When asking for confirmation follow the instructions. Finally, select the same application and from the Actions menu select Delete.

What you have done

OCI IAM provides a Software Development Kits (SDK) that can be used to integrate custom web applications. As part of this lab you have created a new confidential application in OCI IAM, configure a custom node.js application and experience the single sign-on capabilities delivered by OCI IAM.

SSR