Hi, I am looking for a way to use OpenID Connect (authentication AND authorization) with Tomcat 8. I found two ways to get authentication working, but not authorization. Here's what I tested so far:
Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth This extension works very well for authentication. It isn't possible to authorize users, though. You can configure a realm which authorizes the user against LDAP or a database. Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc + Tomcat 8 This mod works pretty well, too. But the AJP Connector doesn't seem to receive the roles from the web server and also relies on the realm to fetch the roles for each user. With both methods I failed to read the roles OpenID Connect supplies with the id token. I experimented a bit with botching around in tomcat8-oidcauth. I removed the authenticate()-call and instead built the GenericPrincipal object with hard-coded roles on my own. That seems to work. But is this safe? Can I just read the token id and assume that it is correct and set the roles in the GenericPrincipal? Are there any other methods to use both authentication AND authorization with tomcat 8? Thanks and kind regards Sebastian --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
