LifeRay OpenID Connect plugin to authenticate users using Gluu IdP. [TOC]
The oxAuth LifeRay plugin is used to authenticate and auto-log users from Gluu Server into LifeRay with the same credentials. It is built on top of oxAuth, the OpenID Connect provider by Gluu.
The oxAuth plugin intercepts any attempt to login from anywhere in the LifeRay and redirects the request and the user to an oxAuth server where the identification takes place, actually. If the user has authorized the server to share some of his basic information with the oxAuth plugin, the user will be redirected back to the LifeRay CMS, and logged in, automatically.
The goal of this project is to use the LifeRay CMS as the basis for an organizational personal data store service.
Note: This plugin does not support auto-user creation from information supplied by the oxAuth Plugin. Instead, it can be implemented by extending the plugin.
Deploying WAR file using Maven
This requires a prerequisite: make sure that you have Maven installed on your system to build this plugin from source.
Checkout the Maven source from the [oxRay Repository][https://github.com/GluuFederation/oxRay/tree/master/6.2.x/maven/gluu-openid-connect-hook].
Open the file
gluu-openid-connect-hook, and update your local LifeRay Tomcat bundle path. This is required for building the WAR file and deploying to the LifeRay Tomcat bundle.
- Run the following command in the
mvn clean install package liferay:deploy
This will take a few seconds to download the dependency
jar files, and
generate the LifeRay-compiled deployable WAR file. It will be placed
<liferay-bundle-folder>/deploy directory, and the hot
deployable process will start.
Using LifeRay Plugin SDK With Ant
This requires a prerequisite: we assume that you have the plugin SDK both installed and configured with LifeRay bundle.
Checkout the gluu-openid-connect-hook plugin source from the repository, and place these files in your local directory for the plugin SDK. Usually, this is
Run the following command in the folder
ant clean deploy
Using Binary From Repository
You can also download a compiled binary as a standard LifeRay deployable WAR file from the following location:
Copy this WAR file in your LifeRay bundle. Usually, this is located at
Once the plugin is deployed as a WAR file either using Maven or Ant, you will see the following success message in your LifeRay Tomcat server:
A LifeRay application needs to be registered with the Authorization server before initiating an authentication request/response with OAuth IdP server.
The following steps are necessary to obtain both a client id and a client secret. These data will be used within the LifeRay portal properties.
- Go to the location
- You will see the Dynamic Client Registration Section.
- Enter the Registration Endpoint uri, for example
- You can derive this uri from your IdP auto-discovery uri which is
https://<Your IDP Server Domain>/.well-known/openid-configuration.
- You can search for the registration endpoint, and copy that uri here.
- You can derive this uri from your IdP auto-discovery uri which is like that:
- Enter the redirect uris as
- Replace your domain name with
- This will be your LifeRay handler for logging a user into LifeRay, automatically, when a redirect comes back from the OAuth server.
- Replace your domain name with
- Select the Response Types: CODE
- Select the Application Type: WEB
- For development purposes use: NATIVE (if you are testing on a local
- Enter Client Name: LifeRay App (you can choose any name here).
- All other options can be left as they are--please see the attached screenshot:
Submit, and both the following
Registration Responsewill be displayed:
- Save the Registration Response to your local system. The parameters
client_secretare used in LifeRay when configuring
It is necessary to modify
portal-ext.properties file to reflect oxAuth
server client credentials and server's URL. It can be accomplished by
navigating into the
liferay-portal-6.2.0-ce-ga1 folder, where the file
portal-ext.properties is stored.
Note: To either activate or deactivate the oxAuth plugin put the value
true (to activate) or
false (to deactivate), respectively.
- oxAuth client ID and client secret:
- OAuth server domain
- OAuth server auto discovery uri
- Your OAuth server logout uri (typically, this will be used to logout a user from OAuth when a user logs out from LifeRay)
- LifeRay server callback uri that will be used as a handling response by the OAuth server after authentication:
- replace the
localhost:8080with your LifeRay domain name:
This page will be invoked when the user does not exist in the LifeRay database, but gets authenticated from the OAuth Server.
- Typically, create a LifeRay page with the name
/no-such-user-found, or redirect to the LifeRay registration page uri like that:
Restart the LifeRay server after editing the file
Login Using the LifeRay Front End
- Once the LifeRay server is restarted, open your browser and
navigate to the uri
- Once the LifeRay server is restarted, open your browser and navigate to the uri
- Once the LifeRay page successfully loaded navigate to the OpenID
connect page at
- Once the LifeRay page successfully loaded navigate to the OpenID connect page at
Note: you can edit the theme code, and link to the login uri as
http://localhost:8080/openidconnect/login. In result the user will
always redirect to the OAuth server for authentication.
- OAuth authentication
- The LifeRay login uri will redirect users to the OAuth IdP server for user authentication. Internally, passing the oAuth client id as the following screen:
- Request for permission
- This screen can be configured depending upon your OAuth Server implementation.
- OAuth callback (user auto-login to LifeRay)
- After a successful authentication with the OAuth server, IdP will send a callback to LifeRay with a specific code as a parameter:
This will be intercepted by our oxAuth LifeRay plugin. Upon validation of the token with the Gluu IdP, it will result in a login of the user to the LifeRay. The user will be redirected to his respective start page.