Sign in using miniOrange OpenID Connect

Contents

  1. miniOrange OpenID Connect Provider
  2. Accessing the service
  3. Authenticating the user
  4. Setting up Open ID Connect in miniOrange
  5. Download our miniOrange OpenId Connect Sample Application
  6. Add "Sign-in with miniOrange" to your web application
  7. Endpoints Explained(Create your own OpenId Client)
  8. OpenId Connect JAVA Sample Application Guide
  9. OpenId Connect PHP Sample Application Guide
  10. OpenId Connect PYTHON Sample Application Guide
  11. Appendix

miniOrange OpenID Connect provider

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.


Accessing the service

miniOrange and third parties provide libraries that you can use to take care of many of the implementation details of authenticating users and gaining access to miniOrange APIs.


Authenticating the user

Authenticating the user involves obtaining an ID token and validating it. ID tokens are a standardized feature of OpenID Connect designed for use in sharing identity assertions on the Internet.

This document describes how to perform the server flow for authenticating the user.

Server Flow

Make sure you set up your OpenID application in miniOrange Administrator console to enable it to use these protocols and authenticate your users.

Below is the server flow for OpenID Connect of authorization type code.


Setting up Open ID Connect in miniOrange

Before your application can use miniOrange Open ID Connect authentication system for user login, you must set up an application in miniOrange administrator console to obtain Open ID Connect credentials, set a redirect URI, and (optionally) and add an application name.

Obtain OpenID Connect credentials

You need OpenID Connect credentials, including a client ID and client secret, to authenticate users and gain access to miniOrange APIs.

To get the credentials, do the following:

Step 1. Create an Application in miniOrange Administrator Console

Note that not all types of credentials use both a client ID and client secret and won't be listed in the document if they are not used.

So now once you have created the application for OpenID Connect. You need to create a policy for the same to let user authenticate with our various strong authentication methods

Step 2. Create a policy



Download our miniOrange SampleApp

You can download our miniOrange Sample Application written in JAVA/PHP/PYTHON to have a demonstration of our OpenId Connect flow or to make an OpenId Connect client application for yourself.


JAVA

Click here to download miniOrange OpenId Sample Application for JAVA

Click here to refer Java sample application guide


PHP

Click here to download miniOrange OpenId Sample Application for PHP

Click here to refer the PHP sample application guide


Python

Click here to download miniOrange OpenId Sample Application for Python

Click here to refer Python sample application guide


Add "Sign-in with miniOrange" to your web application


Add "Sign-in with miniOrange" button for your website or app, with the help of our sign-in client library that is built on the OpenID Connect protocols. You can use miniOrange Sign-in to get OpenID Connect formatted ID tokens, and access tokens for further interaction with miniOrange APIs or authenticating user in your application.

Below are some important fields which needs to be configured in miniOrange Admin console before implementing the Sign-in feature:

Field Description
Client id The unique client identifier of a client application. Which you get after creating an OpenID Connect application from miniOrange Administrator Console.
Client secret The unique client secret of a client application.Which you get after creating an OpenID Connect application from miniOrange Administrator Console.
Redirect URL The URL where you wants to redirect the user information to authenticate user in your website or application.(You must implement this endpoint in your application to receive the authorization endpoint response. This guide will explain the implementation)


1. Add HTML button in your application

Sample HTML Code :

<!-- Insert in values of client_id, redirect_uri You can keep the values response_type, state, nonce, action unchanged Refer end of the section for more details on these parameters. --> <form action='http://server-domain/moas/idp/openidsso' method="get"> <input type="hidden" name="client_id" value= enter-your-client-id-here /> <input type="hidden" name="state" value="abdcefghijklmnop" /> <input type="hidden" name="nonce" value="abdcefghijklmnop" /> <input type="hidden" name="response_type" value="code" /> <input type="hidden" name="redirect_uri" value=enter-your-redirect-uri-here /> <input type="submit" value="Login With miniOrange" /> </form>

Note: The parameter state and nonce are used as anti-forgery parameters. The value of "state" must match the value of state returned in response at the redirect_uri. You can set the state to any random String value.


2. Create a REST service or similar on your application to handle response from Authorization Endpoint(Note : this must be the redirect URI parameter).

Example (https://<your-domain>/rest/openidresponse)

Response attributes: code, state.

Now you just need to make two calls: one to get access token and another to get user info with the help of that access_token.

//Click here to download the JAVA library //Java - Import our miniOrange API(copy all the JAR files in a lib folder and add them to build path) import com.miniorange.openid.client.AuthorizationServerRequest; //Get the parameters from the request String code = request.getParameter("code"); String state = request.getParameter("state"); String clientSecret = "enter-your-client-secret-noted-from-miniOrange-admin-console"; String hostName = "enter-the-miniOrange-host-name-without-http-or-subdomain Example: auth.miniorange.com"; //Step 1 : Initialize the Object with hostName, code and clientSecret. AuthorizationServerRequest clientObj = new AuthorizationServerRequest(hostName, code, clientSecret); //Step 2 : Make a token request using code and state parameter received on the redirect uri. String token = clientObj.sendTokenRequest(); /** String token is a JSON. Example string token JSON : {"scope":"openid","expires_in":3600,"token_type":"bearer", "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1 MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4 NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5 tNmjoWrEK4NzR1fWYXRmL5eyu51o", "access_token":"2f6fyjXdQRgVU9w"} **/ //Step 3 : OPTIONAL. Validate id_token on your side. <Your java code for validating id_token from the JWK set> //Step 4: Make a user_info request. Fetch access_token from the JSON string token received in Step 1. String user_info = clientObj.sendUserInfoRequest(access_token); /** Example user info JSON : {"sub":"demo@miniorange.co.in","primaryPhone":"+917XXXXXXX", "email":"demo@miniorange.co.in","name":"Demo User","family_name":"User", "preferred_username":"demo@miniorange.co.in","given_name":"Demo"} **/ Return user_info; //Proceed your login flow with the user_info scopes.

//Click here to download the PHP library //PHP - Step 1. Import the PHP Library require('AuthorizeOpenIDRequest.php'); $code = $_GET['code']; //Code response parameter $state = $_GET['state']; //Match the state received $host = 'auth.miniorange.com'; // Server host name without http or sub-domain name or port. $clientSecret = 'abcdefghijklm'; //Client Secret noted from The 'Configure App' page in miniOrange administrator Console. //Step 2. Initialize Object $obj = new AuthorizeOpenIDRequest(); $obj->authCode = $code; $obj->state = $state; $obj->hostName = $host; $obj->clientSecret = $clientSecret; //Step 3. Make request to token Endpoint to gain Access token. $token = $obj->sendTokenRequest(); /** {"scope":"openid","expires_in":3600,"token_type":"bearer", "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1 MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4 NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5 tNmjoWrEK4NzR1fWYXRmL5eyu51o", "access_token":"2f6fyjXdQRgVU9w"} **/ //Get the access_token from the JSON token. $jObj = json_decode($token); $access_token = $jObj->access_token; //Step 4. Validate id_token from $jObj->id_token; Using JWK Set uri. //Step 5. Make request to userinfo Endpoint with the help if access_token received. $user_info = $obj->sendUserInfoRequest($access_token); /** Example user info JSON : {"sub":"demo@miniorange.co.in","primaryPhone":"+917XXXXXXX", "email":"demo@miniorange.co.in","name":"Demo User","family_name":"User", "preferred_username":"demo@miniorange.co.in","given_name":"Demo"} **/ //Read user_info JSON, contains user information. $uinfo = json_decode($user_info);

//Click here to download the PYTHON library "PHP - Step 1. Import the PYTHON Library" from AuthorizeOpenIdRequest import AuthorizeOpenIDRequest import json "Step 1. Initialize Object with hostName, AuthCode, clientSecret" "hostName : enter the miniOrange Host name without adding HTTP/HTTPS or SUBDOMAIN" "Enter the client secret noted while creating app in miniOrange Admin Console" "authCode is returned after authentication in miniOrange" hostName = "auth.miniorange.com" clientSecret = "iercoierncoiec" authCode = request.GET.get('code') "Initialize" authReq = AuthorizeOpenIDRequest(hostName, authCode, clientSecret) "Step 2. Make request to token endpoint" token = authReq.sendTokenRequest() print('token is ' + token) /** {"scope":"openid","expires_in":3600,"token_type":"bearer", "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1 MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4 NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5 tNmjoWrEK4NzR1fWYXRmL5eyu51o", "access_token":"2f6fyjXdQRgVU9w"} **/ "OPTIONAL. Perform token validation" "Step 3. Retrieve access_token from token JSON" jsonData = json.loads(token) accessToken = jsonData['access_token'] "Step 4. Make request to userinfo endpoint" userInfo = authReq.sendUserInfoRequest(accessToken) /** Example user info JSON : {"sub":"demo@miniorange.co.in","primaryPhone":"+117XXXXXXX", "email":"demo@miniorange.co.in","name":"Demo User","family_name":"User", "preferred_username":"demo@miniorange.co.in","given_name":"Demo"} **/ print('Userinfo is : ' + userInfo)


Click here for more information on token/user_info JSON objects. Once you have the user info JSON. You can initiate your login by passing the email/username information to your local authentication functionality.

miniOrange OpenId Connect JAVA Sample Application Guide

Click here to download miniOrange OpenId Sample Application for JAVA

Initializing inputs:

Step 1. Configure the OpenId Connect application in miniOrange Admin Console with the redirect URI : http://< your-server-domain-name >/openid-master-webapp/OpenIdResponse

1. Open the Constants.Java file and initialize the following variables

HOST NAME = miniOrange host provider(example : auth.miniorange.com) without the HTTP/PORT/SUBDOMAIN name
CLIENT SECRET = enter the client secret noted from our miniOrange Admin Console
(For more information on how to get client secret go to miniorange.com/openid-connect)

2. In the Index.jsp Enter the following information in the form input tags
<form action='https://auth.miniorange.com/moas/idp/openidsso' method="get"> <input type="hidden" name="client_id" value="iZYhY1h65ArUeXw" /> <input type="hidden" name="response_type" value="code" /> <input type="hidden" name="redirect_uri" value="http://< your-server-domain-name > /openid-master-webapp/OpenIdResponse" /> <input type="submit" value="Login With miniOrange" /> </form>


REDIRECT URI must point to your corresponding response handling file.

CLIENT_ID must be the value noted from our miniOrange Admin Application page. (For more information on how to get these parameters refer miniorange.com/openid-connect)

Building the project

1. Add all the dependencies and run the following maven commands to add our third party library miniorange-openid-api.jar

mvn install:install-file -Dfile="./lib/miniorange-openid-api.jar" -DgroupId=com.miniorange.openid.client -DartifactId=miniorange-openid-api -Dversion=3.6 -Dpackaging=jar

2. Run "mvn clean package" at the pom directory level and deploy the .war file to you Apache tomcat.

Testing the project

1. Open http://< your-server-domain-name >/openid-master-webapp.

2. Click on "Login With miniOrange".

3. Perform authentication on our miniOrange console. And Authorize request to gain user information.

4. Authorize redirects to the "redirect_uri" you mentioned in the index.jsp.


miniOrange OpenId Connect PHP Sample Application Guide

Step 1. Configure the OpenId Connect application in miniOrange Admin Console with the redirect URI : http://< your-server-domain-name >/<php-file-path>/OidcResponseHandler.php

Click here to download miniOrange OpenId Sample Application for PHP

1. Open the OidcResponseHandler.php file and initialize the following variables

HOST NAME = miniOrange host provider(example : auth.miniorange.com) without the HTTP/PORT/SUBDOMAIN name
CLIENT SECRET = enter the client secret noted from our miniOrange Admin Console
(For more information on how to get client secret go to miniorange.com/openid-connect)

2. In the Index.html Enter the following information in the form input tags
<form action='https://auth.miniorange.com/moas/idp/openidsso' method="get"> <input type="hidden" name="client_id" value="iZYhY1h65ArUeXw" /> <input type="hidden" name="response_type" value="code" /> <input type="hidden" name="redirect_uri" value="http://< your-server-domain-name >/<php-file-path> /OidcResponseHandler.php" /> <input type="submit" value="Login With miniOrange" /> </form>


REDIRECT URI must point to your corresponding response handling file.

CLIENT_ID must be the value noted from our miniOrange Admin Application page. (For more information on how to get these parameters refer miniorange.com/openid-connect)

Testing the project

1. Open http://< your-server-domain-name >/(php-project-path)/index.html.

2. Click on "Login With miniOrange".

3. Perform authentication on our miniOrange console. And Authorize request to gain user information.

4. Authorize redirects to the "redirect_uri" you mentioned in the index.html.


miniOrange OpenId Connect PYTHON Sample Application Guide

Step 1. Configure the OpenId Connect application in miniOrange Admin Console with the redirect URI : http://< your-server-domain-name >/OpenIdResponse

Click here to download miniOrange OpenId Sample Application for PYTHON

1. Open the init.py file and initialize the following variables on top

HOST NAME = miniOrange host provider(example : auth.miniorange.com) without the HTTP/PORT/SUBDOMAIN name
CLIENT SECRET = enter the client secret noted from our miniOrange Admin Console
(For more information on how to get client secret go to miniorange.com/openid-connect)

2. In the init.py file Enter the following information noted from the miniOrange Admin openId connect app page in the form input tags at function login()
<form action='https://auth.miniorange.com/moas/idp/openidsso' method="get"> <input type="hidden" name="client_id" value="iZYhY1h65ArUeXw" /> <input type="hidden" name="response_type" value="code" /> <input type="hidden" name="redirect_uri" value="http://< your-domain-name >/OpenIdResponse" /> <input type="submit" value="Login With miniOrange" /> </form>


REDIRECT URI must point to your corresponding response handling file.

CLIENT_ID must be the value noted from our miniOrange Admin Application page. (For more information on how to get these parameters refer miniorange.com/openid-connect)

Running and Testing the project

Before running the app. Make sure you've bottle.py and requests installed. To install bottlepy. Execute in CMD or shell. "easy_install bottle". To install requests "easy_install requests"

Go the the sampleapp directory and Execute "python init.py"

1. Go to the web browser and Open http://< your-server-domain-name >/login.

2. Click on "Login With miniOrange".

3. Perform authentication on our miniOrange console. And Authorize request to gain user information.

4. Authorize redirects to the "redirect_uri" you mentioned in the index.html(at http://< your-server-domain-name >/OpenIdResponse).


Endpoints Explained.

If you wish to use any third party client libraries. Or if want to write your own client, than you can use our Endpoint's directly to authenticate user in your website or application.


Appendix

token is a JSON which contains the following attributes:

Field Description
access_token OAuth 2.0 Access Token. This is returned from the token endpoint
token_type OAuth 2.0 Token Type value. The value MUST be Bearer or another token_type value that the Client has negotiated with the Authorization Server. Clients implementing this profile MUST support the OAuth 2.0 Bearer Token Usage [RFC6750] specification. This profile only describes the use of bearer tokens. This is returned in the same cases as access_token is.
expired_in OPTIONAL. Expiration time of the Access Token in seconds since the response was generated.
scope scope parameter value : openid
id_token Contains a JSON of fieldset iss, sub ,aud, nonce, exp, iat, auth_time, at_hash

id_token contains the following JSON attributes:

Field Description
iss https URI that indicates the issuer
sub identifier of the user at the issuer
aud client_id of the requesting client
nonce the nonce parameter value received from the client
exp expiration time of this token
iat time when this token was issued
auth_time time the authentication happened
at_hash the first half of a hash of the access token

User info is a JSON which contains the following attributes:

Field Description
Email Email of the user
Phone Contact number of the user
Name Full name of the user