OpenID Connect Authentication and UMA PEP Authorization#
In this tutorial, we are going to add
OpenID Connect Authorization code flow authentication by configuring the
gluu-openid-connect plugin and user authorization by the
gluu-uma-pep plugin. User will be authenticate first and second part is to check the user permission using the UMA Policy.
In the demo, the user will first be authenticated by OpenID Connect and for
/settings resource, user will be prompted to enter their
city before being able to access a protected page. If the values entered are correct (US, NY), the user is granted access. If not, access is denied. We are using default UMA Policy available in Gluu CE which check the
City=NY. You can modify this policy and write the custom login to authorized user.
If you have 2-3 policies then it will be good to use UMA. But If you have much more numbers of policies then OPA is the best option.
Gluu Gateway 4.2.0: This is our an OpenID Connect relying party(RP) between the client and the upstream service. Install Gluu Gateway. OXD Server is a static APIs web application which will install during GG installation.
Gluu Server 4.2.0: This is our OpenID Connect Server. Install Gluu
Protected(Upstream) Website: In our demo, we are using a demo Node.js App. Take Node.js demo from here.
Gluu Gateway configuration (RP)#
The GG UI is only available on the localhost. Since it is on a remote machine, we need SSH port forwarding to reach the GG UI. Plugin configuration can be done either via REST calls or via the Gluu Gateway web interface.
Applications and their ports:
|1338||Gluu Gateway Admin GUI|
|8001||Kong Admin API|
|8000||Kong Proxy Endpoint|
|443||Kong SSL Proxy Endpoint. Kong by default provide 8443 port for SSL proxy but during setup, it changes into 443.|
Login into Gluu Gateway Admin GUI(:1338) and follow the below steps.
Register your upstream website as a Service.
We are using
http://localhost:4400 as the Upstream Website, it is your application where you want to add OpenID Connect Authentication. End-users always request to first kong proxy, the plugin will perform authentication and if all is ok then kong will forward a request to the upstream website and serve content which is return by the upstream website.
Follow these step to add Service using GG UI
SERVICESon the left panel
- Click on
+ ADD NEW SERVICEbutton
- Fill in the following boxes:
- Name: oidc-opa-demo
- URL: http://localhost:4400
Follow these steps to add a route:
Click on the
+ ADD ROUTEbutton
Fill in the following boxes:
- Name: oidc-uma-demo
Tip: Press Enter to accept value. In my case, I am using server and updated
/etc/hostsfile. This is the host which we will use to request in a browser after configuration. You can register your domain host if you are using live servers. For further next tutorial, I am using
dev1.gluu.org, you need to use your host. Check kong docs for more routing capabilities here.
ROUTESon the left panel
- Click on
route id/namewhich has host
- Click on
- Click on
+ ADD PLUGINbutton
- You will see
Gluu OIDC & UMA PEPtitle and
+icon in pop-up.
- Click on the
+icon and it will show below form.
UMA PEP Security configurationand disabled
UMA PEP Security configurationsection form with the below details
|Path||/settings/?||it will protect path
|HTTPMethods||GET||it will used to protect the HTTP Methods.
|scope||with-claims||it is just a name of the scope. GG UI will create UMA scope in your Gluu CE. In Gluu CE UI(oxtrust) you need to add the UMA Policy in this scope|
|Deny By Default||No(false)||it is optional.
|Pushed Claim Token Lua expression||it is optional. If you want to pass Push claim token to get RPT Token then you need to enable
Currently in default expression ti passing both values but you can modify it. Check here for more about expression and build UMA policy.
Gluu Server configuration (AS)#
To enable UMA Policy, configure the following settings inside your Gluu Server UI(oxTrust). We are configuring here UMA Claim gathering flow. We are using the default policy available in the Gluu CE but you can code policy as per your requirement.
In oxTrust, navigate to
Manage Custom Scripts
UMA RPT Polices&
UMA Claims Gathering
There is one
uma_rpt_policyincluded in the script. During authorization, it checks Country=US and City=NY. If you want to change the value, update this script or add your own new script. For more details, take a look at Gluu CE Documentation.
Add policy in
with-claimsscope. Navigate to
This completes the configuration. Next, request the Kong proxy at
https://<your_host>/settings/ in the browser. As per my configuration, I am requesting
Once you request to kong proxy, the plugin will redirect you to your OP side.
After successful authentication, OP will show you all requested permissions, click on
Next Gluu Server prompt the user to enter some extra information to authorize a user. AS will first ask the user to enter a value for
USin a country.
After submitting a Country claim, AS will ask the user to enter a value for
NYin the city.
If all ok then you will see the below page that is
If you get some error then you can check the kong's
For more details and configuration check
gluu-openid-connect plugin docs.