OpenID for Java Web applications, part 2nd

Write an OpenID provider for single sign-on authentication

Introduction: In this article, you will learn how to use OpenID to secure Java Web application resources to prevent damage by unauthenticated users. In the 2nd part of the series that describes the OpenID authentication specification, Steve Perry explains how to use the Openid4java library to create an OpenID provider for a single sign-on scenario. By building an application as an OpenID provider in a closed-loop architecture, end users can access multiple applications by simply logging in once. In addition, you will learn how to use the OpenID Attribute Exchange (AX) to extend the data exchange between your OpenID dependents and providers.

OpenID is a reliable identity management and authentication solution that has many users around the world. It allows end users to access many Web sites and other online resources using a widely recognized user ID. In the 1th part, I introduced the OpenID authentication specification, explaining how to integrate it into a Java Web application using the Openid4java Library implementation.

The 1th part focuses on the OpenID dependencies (RP), an online resource (such as a Web site or MP3) that uses OpenID for registration and authentication. The other half of the OpenID authentication specification is the OpenID provider (OP). OP helps users apply for OpenID, authenticating users to log on to an OpenID-compliant WEB resource.

There are already many OpenID providers (including the Op,myopenid used in the Java WEB application registration system discussed in part 1th), and in most cases you do not need to create the OP yourself.

It is meaningful to build your own OP in one scenario: multiple applications in an application cluster share resources from a trusted network. In this case, you may want to create a secure "closed loop" system. This makes it convenient for users to log in to all applications at the same time without having to log in to each application separately. With one application in the cluster as the OP, you can establish single sign-on authentication for all applications.

In this article, we want to write an OpenID provider in a closed-loop architecture to protect many applications. First discuss the benefits and structure of single sign-on authentication, and then write a simple OpenID provider for the cluster architecture. We still use the Openid4java library to provide the core run-time capabilities of the authentication system to ensure that our OpenID provider complies with the OpenID authentication specification.

Single sign-on authentication

In some enterprise scenarios, it is more meaningful to combine applications with different functionality than to build all the functionality into a single application. Such an application cluster is often the core of business-to-business, and each party provides some services to increase the value of the entire business system.

The difficulty in developing this cluster is authentication, and it is not feasible to have each application authenticate the end user separately, at least from the end-user's point of view.

In a clustered system that uses the OpenID standard for authentication, each participating application delegates authentication to the OP. Each application is confident that access to its functionality and resources is secure, and that end users only log in once per session.

Let's look at the parties in the single sign-on authentication system. Note that the architecture discussed below is based on the sample application developed in part 1th.

OpenID relying party (RP)

OpenID dependencies are Web sites or other online resources that require access to their content to be secure. The RP uses the OpenID provider (OP) to authenticate the user. The RP can also use simple registration (SREG) and/or Attribute Exchange (AX) extensions to register or identify information about the user. When the OP is requested to authenticate the user, the RP issues Sreg and AX requests by calling the Openid4java library.

OpenID provider (OP)

The OpenID provider provides authentication for all participating applications. After successfully authenticating the user by calling the Openid4java library, the OP satisfies the Sreg and AX requests from the RP. In the single sign-on architecture discussed in this article, OP is in a central location.