Setting up SAP Hybris as OpenID connect Identity Provider

What is OIDC?

OpenID Connect(OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

When clients want to access secured resources from external systems, OIDC can be used as a technology to authenticate client application users to access these external systems. The SAP  Commerce Platform can be configured as the identity provider in such scenarios.

Read on to understand the benefits, alternatives, differences between various authentication & authorization mechanisms and how steps to configure SAP Commerce platform as an Open ID Connect Provider

Advantages of OIDC:

  1. OIDC uses id_token which provides an additional layer of security to user sign-in transactions by adding:
  2. A nonce, which is sent by the client and enables the integrity of the response to be validated
  3. A hash of the access token
  4. A hash of the code (optional)
  5. OIDC contains authentication information
  6. It is signed using JSON Web Signatures (JWS)
  7. It can be encrypted using JSON Web Encryption (JWE)

Alternatives of OIDC:

As an alternative to OIDC, applications can choose to have OAuth 2.0 or SAML for similar purposes. OIDC is built on top of OAuth 2.0 to provide API based additional information along with OAuth with regards to any authentication & authorization that takes place on the system.

Differences between OIDC and OAuth2.0:

OAuth 2.0 OIDC
OAuth 2.0 is designed as an authorization framework, not an authentication protocol. Out of the many cool tasks, OAuth 2.0 can be used is for person authentication Attribute release and authentication is the main things OpenID Connect is specifically designed for.
There is no id_token defined in OAuth 2.0 because it is specific to federated authentication OIDC uses id_token
OAuth 2.0 is generic so it could be applied to many authorization requirements, like API access management, posting on someone’s wall, and using IoT services. OpenID Connect is primarily focused on users authentication

Difference between SAML and OIDC:

SAML OIDC
Redirection of users from the Service Provider (SP) to the Identity Provider (IDP) for sign-in takes place in SAML Redirection of users from the Relying Party (RP) to the OpenID Provider (OP) for sign-in takes place in OIDS
The SAML Service Provider will always be a website. In OCID the RP(Relying Party) can either be a website or a mob app and is known as “client” as it extends OAuth 2.0 client.
There exists an “assertion” of a signed XML document with the subject info like (Authenticating authority), attributes (Details of the person), the issuer and other informations about the authentication events. Id Token is equivalent in OpenID Connect. OCID uses a signed JSON document that contains the person who issued, the subject and the authentication info.

 

OIDC Architecture

OIDC%20Architecture

OIDC Architecture

 

Configuring Platform as an ID Provider

As OCID is based on the OAuth 2.0 authorization framework. So, first, we need to configure the OAuth Client role.

Configuration impex for OpenID client details:

INSERT_UPDATE OpenIDClientDetails;clientId[unique=true] ;resourceIds ;scope        ;authorizedGrantTypes ;authorities ;clientSecret ;registeredRedirectUri ;externalScopeClaimName;issuer ;client-side ;hybris ;basic,email,profile,openid        ;implicit,client_credential,passwrd ;ROLE_CLIENT ;secret ;http://MYAPPLICATION/ ,https://google.com/some_address; scope; ec

Configuring external System scopes:

insert_update OpenIDExternalScopes;code[unique=true];clientDetailsId(clientId)[allownull=true,forceWrite=true];permittedPrincipals(uid);scope;editor;client-side;hac_platform_configuration;hybris.tenant=ecopenid,hybris.product_create,hybris.product_update,hybris.product_delete,hybris.product_read_unpublished;reader;client-side;hac_platform_license;hybris.tenant=ecopenid,hybris.product_read_unpublished;admin              ;client-side;hac_editor;hybris.product_delete_all,hybris.product_read_unpublished

Generating KeyStore:

It is required to have a Java KeyStore repo having both public and private keys to use OCID in Hybris. We can generate a new Keystore using the Java keytool as the demo Keystore present in the platform is only for dev purposes. RSA is most preferred algorithm for encryption.

The following command can be used to generate KeyStore:

keytool -genkey -keyalg RSA -alias alias -keystore keystore.jks -keysize 2048

External Systems OCID provider configuring details:

The following can be used to request an id_token from the external provider:

GET https://EC_IDP_URL/authorize/?response_type=id_token token    &client_id=EXTERNAL_CLIENT_ID&redirect_uri=REDIRECT_URI_TO_WEB_PAGE    &scope=SCOPE &nonce=NONCE &state=WEB_STATE

It should redirect you to the external page and finally redirect to the original page. The id_token should be in the URL of the web page.

The id_token value is present in the redirected URL.

http://MY_APPLICATION/ #access_token=cfc4af6d-b38b-4152-a923-9af8de6c7f33%26token_type=bearer%26state=3%26expires_in=39321%26id_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3QxIn0.eyJzdWIiOiJlZGl0b3IiLCJzY29wZSI6WyJvcGVuaWQiLCJoeWJyaXMucHJvZHVjdF9jcmVhdGUiLCJoeWJyaXMucHJvZHVjdF91cGRhdGUiLCJoeWJyaXMucHJvZHVjdF9kZWxldGUiLCJoeWJyaXMucHJvZHVjdF9yZWFkX3VucHVibGlzaGVkIiwiaHlicmlzLnByb2R1Y3RfZGVsZXRlX2FsbCJdLCJpc3MiOiJlYyIsInN0YXRlIjoiMyIsImV4cCI6MTUwMTg1MzYzNiwibm9uY2UiOiI1IiwiaWF0IjoxNTAxODUwMDM2fQ.HZ3ZZe4p3AkqZupijTiyTC_5BDQi6ZDT3kQusVlWHt0Db7qSbF1ZA9X2IcheLiJfGTiv9iAFR3CV-R8mqgfurdDKIZyJhMFad77O9ghhJpuzSfPJa9UVheOWoryXHiVLTyARu_Z9VmouokAan_bX0UXe7eOckNv28u3gL3wTGsY”

The Id_token in encoded form looks like this:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3QxIn0.eyJzdWIiOiJlZGl0b3IiLCJzY29wZSI6WyJvcGVuaWQiLCJoeWJyaXMucHJvZHVjdF9jcmVhdGUiLCJoeWJyaXMucHJvZHVjdF91cGRhdGUiLCJoeWJyaXMucHJvZHVjdF9kZWxldGUiLCJoeWJyaXMucHJvZHVjdF9yZWFkX3VucHVibGlzaGVkIiwiaHlicmlzLnByb2R1Y3RfZGVsZXRlX2FsbCJdLCJpc3MiOiJlYyIsInN0YXRlIjoiMyIsImV4cCI6MTUwMTg1MzYzNiwibm9uY2UiOiI1IiwiaWF0IjoxNTAxODUwMDM2fQ.HZ3ZZe4p3AkqZupijTiyTC_5BDQi6ZDT3kQusVlWHt0Db7qSbF1ZA9X2IcheLiJfGTiv9iAFR3CV-R8mqgfurdDKIZyJhMFad77O9ghhJpuzSfPJa9UVheOWoryXHiVLTyARu_Z9VmouokAan_bX0UXe7eOckNv28u3gL3wTGsY

If we decode the id_token, it looks like:

HEADER: ALGORITHM & TOKEN TYPE{  “alg”: “RS256”,  “typ”: “JWT”,  “kid”: “test”}PAYLOAD: DATA{  “sub”: “editor”,  “scope”: [ “openid”, “hybris.product_read_unpublished” ],  “iss”: “ec”,  “state”: “3”,  “exp”: 45049757,  “nonce”: “3”,  “iat”: 41846157}

The id_token for the access_token can now be exchanged as below:

GET https://external_system.io/oauth2/v1/authorize/?    &client_id=EXTERNAL_SYSTEM_CLIENT_ID    &hybris_id_provider=ID_PROVIDER_REGISTERED_IN_EXTERNAL_SYSTEM    &id_token_hint=ID_TOKEN_FROM_EXTERNAL_PROVIDER    &nonce=NONCE    &redirect_uri=REDIRECT_URI_TO_WEB_PAGE    &response_type=token    &state=WEB_STATE

First it will redirect you to the external system OAuth and then the Platform (external provider), and finally to the original page. The access_token should be present in the web page URL.

Exchange the id_token for the access_token.

GET https://external_system.io/oauth2/v1/authorize/?client_id=ZwXU5ktg3TEYdZnDjrf4SCZjycO9KYd4&id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InRlc3QxIn0.eyJzdWIiOiJlZGl0b3IiLCJzY29wZSI6WyJvcGVuaWQiLCJoeWJyaXMucHJvZHVjdF9jcmVhdGUiLCJoeWJyaXMucHJvZHVjdF91cGRhdGUiLCJoeWJyaXMucHJvZHVjdF9kZWxldGUiLCJoeWJyaXMucHJvZHVjdF9yZWFkX3VucHVibGlzaGVkIiwiaHlicmlzLnByb2R1Y3RfZGVsZXRlX2FsbCJdLCJpc3MiOiJlYyIsInN0YXRlIjoiMyIsImV4cCI6MTUwMTg1MzU4NCwibm9uY2UiOiI1IiwiaWF0IjoxNTAxODQ5OTg0fQ.XVG6cKLhgSHoQet1XVgK9gi98pwsKXVqGIjwwMzaUzfZWV3sj33vILqK-ysmAhwIEWHqQpi56YvWHWbciucrcVY4bI7GswAM8vqJsjnokG0QnZ9BQgTzwd56yjgeST1PKfG9xsnJ7UkMPDOkhZPUyMCPUtk_hxjYskSDXeapxM8&hybris_id_provider=6616d705-58ab-4641-abcb-69b307743cc7&redirect_uri=http://localhost:8090&state=7&nonce=11&response_type=token

The redirected URL contains this access_token value.

http://MY_APPLICATION/#token_type=Bearer&access_token=022-de34d0e4-0557-4c18-b8ef-7c8544e8d6b9&expires_in=3600&scope=hybris.product_create hybris.product_update hybris.product_delete hybris.product_read_unpublished hybris.product_delete_all&state=7

Conclusion:

How to choose between OIDC/OAuth 2.0/SAML

  1. For Mobile Applications – We should use OIDC
  2. If application already supports SAML, use SAML
  3. If writing a new application, use OIDC
  4. If APIs needs to be protected or API gateway needs to be created then use OAuth 2.0

I hope this blog post will help you to get the idea about OIDC and how to implement it.

Although many blogs are not available on OIDC but more Information about OIDC can be found in SAP Help Portal.

Do you require any other information, which should be added to the blog as well? Let us know in the comment under this blog post. Please like and share feedback or thoughts in comments section.

References:

  1. https://openid.net/connect/
  2. https://help.sap.com/docs/SAP_COMMERCE/d0224eca81e249cb821f2cdf45a82ace/b68a2438783b4bd09355a1c5434e3e92.html?version=6.6.0.0