INT

Empowering Visualization

COMMUNITY BLOG
CONTACT US SUPPORT

OpenID

How to Use the Nimbus Library to Authenticate Users with OpenID Connect

OpenID Connect (OIDC) is an authentication protocol using a third-party site to provide single-sign-on capabilities to web applications. For example, before you can visualize OpenSDU data in IVAAP, your browser is redirected to a login page hosted by Microsoft or Amazon. After completion of the two-factor authentication, your browser is redirected to IVAAP. The sequence of steps between IVAAP and external authentication servers follows the OpenID Connect protocol.

OIDC is built on top of Oauth2. It was created in 2014, superseding Open ID 2.0. Over the years, it has become a widely used standard for consumer and enterprise-grade applications. While simpler than OpenID 2.0, most developers will need to use a library to integrate OIDC with their applications.

In IVAAP’s case, since the Admin Backend is written in Java, we use the OIDC Nimbus library identified by this maven configuration:

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>oauth2-oidc-sdk</artifactId>
    <version>10.1</version>
</dependency>

While this Nimbus library doesn’t provide a full implementation of the OpenID Connect workflow, it contains pieces that can be reused in your code. IVAAP being a platform, it comes with an SDK to plug your own authentication. Nimbus fits the concept of an SDK where most of the work is already done for developers, and you only need to implement a few hooks. In our case, the hooks identify mainly what to do when the /login, /callback, /refresh, and /logout services are called. Let’s dive a little further into how Nimbus helps developers implement these services.

The Login Service

The main purpose of the /login service is to redirect the browser to an external authentication page. The login URL changes slightly each time it’s called for security reasons. It contains various information such as the scope, a callback URL, a client ID, a state, and a nonce. The scope, callback URL, and client ID typically don’t change, but the state and nonce are always new. 

ClientID clientID = new ClientID(this.clientId);
URI callback = new URI(this.callbackURL);

Nonce nonce = new Nonce();
Scope authScope = new Scope();
String[] split = this.scope.split(" ");
for (String currentToken : split) {
    authScope.add(currentToken);
}

AuthenticationRequest request = new AuthenticationRequest.Builder(
            ResponseType.CODE,
            authScope,
            clientID,
            callback)
            .endpointURI(new URI(this.authURL))
            .state(state)
            .nonce(nonce)
            .prompt(new Prompt("login"))
            .build();
return request.toURI();

Since OIDC was released, a more secure variation called PKCE (pronounced pixy) has been added. PKCE introduces a code challenge instead of relying on a client secret used in the /callback service. The same code looks like this when PKCE is used:

ClientID clientID = new ClientID(this.clientId);
URI callback = new URI(this.callbackURL);
this.codeVerifier = new CodeVerifier();

Nonce nonce = new Nonce();
Scope authScope = new Scope();
String[] split = this.scope.split(" ");
for (String currentToken : split) {
    authScope.add(currentToken);
}

AuthenticationRequest request = new AuthenticationRequest.Builder(
            ResponseType.CODE,
            authScope,
            clientID,
            callback)
            .endpointURI(new URI(this.authURL))
            .state(state)
            .codeChallenge(codeVerifier, CodeChallengeMethod.S256)
            .nonce(nonce)
            .prompt(new Prompt("login"))
            .build();
return request.toURI();

The Callback Service

When the /callback service is called after successful authentication, the callback URL contains a state and a code that identifies the authentication that was just performed. The following lines extract this code from the callback URL:

AuthenticationResponse response = AuthenticationResponseParser.parse(
                new URI(callbackUrl));
State state = response.getState();
AuthorizationCode code = response.toSuccessResponse().getAuthorizationCode();

The state should match the state created when the /login service was called.

This “authorization code” can be exchanged with authentication tokens calling the OIDC token service.

     URI tokenEndpoint = new URI(this.tokenURL);
     URI callback = new URI(this.callbackURL);
      AuthorizationGrant codeGrant = new AuthorizationCodeGrant(code, callback);
      ClientID clientID = new ClientID(this.clientId);
      Secret secret = new Secret(this.clientSecret);
      Scope authScope = new Scope();
      String[] split = this.scope.split(" ");
      for (String currentToken : split) {
          authScope.add(currentToken);
      }
      ClientAuthentication clientAuth = new ClientSecretBasic(clientID, secret);
      TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, codeGrant, authScope); 
      HTTPRequest toHTTPRequest = request.toHTTPRequest();
      TokenResponse tokenResponse= OIDCTokenResponseParser.parse(toHTTPRequest.send());
OIDCTokenResponse successResponse = (OIDCTokenResponse) tokenResponse.toSuccessResponse();
  JWT idToken = successResponse.getOIDCTokens().getIDToken();
  AccessToken accessToken = successResponse.getOIDCTokens().getAccessToken();
  RefreshToken refreshToken = successResponse.getOIDCTokens().getRefreshToken();

If PKCE is enabled, this code is simpler. It doesn’t require a client’s secret to be passed:

           URI tokenEndpoint = new URI(this.tokenURL);
           URI callback = new URI(this.callbackURL);
            AuthorizationGrant codeGrant = new AuthorizationCodeGrant(code, callback, this.codeVerifier);
            ClientID clientID = new ClientID(this.clientId);
            TokenRequest  request = new TokenRequest(tokenEndpoint, clientID, codeGrant);
authScope); 
            HTTPRequest toHTTPRequest = request.toHTTPRequest();
            TokenResponse tokenResponse= OIDCTokenResponseParser.parse(toHTTPRequest.send());
      OIDCTokenResponse successResponse = (OIDCTokenResponse) tokenResponse.toSuccessResponse();
        JWT idToken = successResponse.getOIDCTokens().getIDToken();
        AccessToken accessToken = successResponse.getOIDCTokens().getAccessToken();
        RefreshToken refreshToken = successResponse.getOIDCTokens().getRefreshToken();

The OpenID Connect token service gives us 3 tokens:

  • An access token
  • A JSON Web Token (JWT) token, also known as an ID token or bearer token
  • A refresh token

The access token is the token that typically grants access to data. It expires, and a new access token can be retrieved, passing the refresh token to the OIDC refresh service.

The JWT token is the token that identifies the user. Unlike the access token, it doesn’t expire. While a JWT token may be parsed to get user info, the access token is typically used instead. A user info OIDC service typically needs to be called with the access token to get the user details.

            URI userInfoURI = new URI(this.userInfoURL);
            HTTPResponse httpResponse = new UserInfoRequest(userInfoURI, accessToken)
                    .toHTTPRequest()
                    .send();
            UserInfoResponse userInfoResponse = UserInfoResponse.parse(httpResponse);
            UserInfo userInfo = userInfoResponse.toSuccessResponse().getUserInfo();
String email = (String) userInfo.getClaim("email");

For OpenSDU, a more complex API involving claim verifiers needs to be used to get user details.

Set<String> claims = new LinkedHashSet<>();
claims.add("unique_name");
ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
jwtProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWT")));
JWKSource<SecurityContext> keySource = new RemoteJWKSet<>(...));
JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
JWSKeySelector<SecurityContext> keySelector = new JWSVerificationKeySelector<>(expectedJWSAlg, keySource);
jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().issuer(...).build(),
        claims));
jwtProcessor.setJWSKeySelector(keySelector);
JWTClaimsSet claimsSet = jwtProcessor.process(accessToken.getValue(), null);
Map<String, Object> userInfo = claimsSet.toJSONObject();
String email = (String) userInfo.getClaim("unique_name");

The Refresh Service

In IVAAP’s case, the UI’s role is to call the /refresh service before an access token expires. When this refresh service is called with the last issued refresh token, new access and refresh tokens are obtained by calling the OIDC token service again.

    RefreshToken receivedRefreshToken = new RefreshToken(…);
    AuthorizationGrant refreshTokenGrant = new RefreshTokenGrant(receivedRefreshToken);
    URI tokenEndpoint = new URI(this.tokenURL);
    ClientID clientID = new ClientID(this.clientId);
    Secret secret = new Secret(this.clientSecret);
    ClientAuthentication clientAuth = new ClientSecretBasic(clientID, secret);
    Scope authScope = new Scope();
    String[] split = this.scope.split(" ");
    for (String currentToken : split) {
        authScope.add(currentToken);
    }
    TokenRequest  request = new TokenRequest(tokenEndpoint, clientAuth, refreshTokenGrant, authScope);

HTTPResponse httpResponse = request.toHTTPRequest().send();
AccessTokenResponse successResponse = response.toSuccessResponse();
Tokens tokens = successResponse.getTokens();
AccessToken accessToken = tokens.getAccessToken();
RefreshToken refreshToken = tokens.getRefreshToken();

If PKCE is enabled, this code is simpler. It doesn’t require a client secret to be passed:

RefreshToken receivedRefreshToken = new RefreshToken(…);
AuthorizationGrant refreshTokenGrant = new RefreshTokenGrant(receivedRefreshToken);
URI tokenEndpoint = new URI(this.tokenURL);
ClientID clientID = new ClientID(this.clientId);
TokenRequest request = new TokenRequest(tokenEndpoint, clientID, refreshTokenGrant);
HTTPResponse httpResponse = request.toHTTPRequest().send();
AccessTokenResponse successResponse = response.toSuccessResponse();
Tokens tokens = successResponse.getTokens();
AccessToken accessToken = tokens.getAccessToken();
RefreshToken refreshToken = tokens.getRefreshToken();

The Logout Service

As OpenID Connect doesn’t provide a standard for logging out, no Nimbus API generates the logout URL. The logout URL has to be built manually depending on the OpenID provider (Microsoft or Amazon). This logout URL is sometimes provided by the content behind the discovery URL of an OpenID provider.

Going Beyond

For simplicity’s sake, I didn’t include in the code samples the handling of errors. While the OpenID Connect protocol is well-defined, there are a few variations between cloud providers. For example, the fields stored in tokens may vary. This article doesn’t describe what happens after the /callback service is called: once tokens are issued, how are they passed to the viewer? These implementation details may be implemented differently by each application. When I was tasked with integrating OpenID Connect, I found the Nimbus website clear and simple to use, showing sample code front and center. I highly recommend this library.

Visit us online at int.com/ivaap for a preview of IVAAP or for a demo of INT’s other data visualization products. 

For more information, please visit www.int.com or contact us at intinfo@int.com.

____________

ABOUT INT

INT software empowers energy companies to visualize their complex data (geoscience, well, surface reservoir, equipment in 2D/3D). INT offers a visualization platform (IVAAP) and libraries (GeoToolkit) that developers can use with their data ecosystem to deliver subsurface solutions (Exploration, Drilling, Production). INT’s powerful HTML5/JavaScript technology can be used for data aggregation, API services, and high-performance visualization of G&G and energy data in a browser. INT simplifies complex subsurface data visualization.

INT, the INT logo, and IVAAP are trademarks of Interactive Network Technologies, Inc., in the United States and/or other countries.


How the Admin Backend Provides Flexibility to IVAAP Customers

The P of IVAAP stands for Platform. As a platform, IVAAP is designed to be modified by INT’s own customers to meet their specific (and sometimes proprietary) needs. Over the years, most of the focus of my blog articles has been on the Data Backend. The Data Backend is the core component of IVAAP that accesses data and makes it available in a standardized form—the IVAAP viewer. The Data Backend is highly specialized for geoscience data. There is, however, another backend, the Admin Backend, that is more generic in nature and that typically doesn’t get as much attention. The goal of this article is to shed some light on how this “other backend” can be customized or consumed to meet customer needs.

Roles of the Admin Backend

The Admin Backend has multiple roles. Some see the Admin Backend as a component managing IVAAP projects. An IVAAP project is essentially an arbitrary grouping of datasets, where each dataset is accessible through the Data Backend. Indeed, the Admin Backend manages projects and all their members. Each member is identified by a URL and often carries metadata, such as its name or location. The actual storage of this information is a PostgreSQL database. The IVAAP Admin Backend provides a simple REST API to the UI to manage project data.

Describing the Admin Backend as a store for projects doesn’t do it justice. It also manages many types of IVAAP entities such as connectors, cloud services, users, groups, dashboards, templates, formulas, and queries. Other data types are geoscience-related, such as curve dictionaries. The Admin Backend is also in charge of providing an audit trail when data is added, updated, or removed. All these features are implemented based on a documented Java API so that INT’s customers can plug their own implementations. Developers are not limited by the REST services that the Admin provides, they can add their own. While the Admin SDK has multiple customization points, the use cases below are the most common.

Customization Use Cases

The first use case of the Admin SDK is the customization of authentication. By default, IVAAP supports two types of authentication. A simple OAUTH2-based authentication, and OpenID Connect. IVAAP customers often have their own authentication system, and IVAAP needs to use that system. To make this possible, the Admin SDK provides a way to customize how users are authenticated, and how sessions are managed and tracked.

The next use case is the customization of key services, typically collection services. For example, the Admin Backend has a service that lists all active users. This service is used by the UI when a template is shared with others. IVAAP customers can plug their own service that will list potential users, for example, listing them from an LDAP server instead of IVAAP’s own PostgreSQL database.

The third use case is the customization of entitlements. Each time a dataset is opened, the Admin Backend is queried to check whether the currently logged-in user has access to this dataset. The default implementation relies on group memberships, but customers can plug their own rules. These rules can be fine-grained, for example, making determinations at the well log levels instead of the well levels.

External Integration Use Cases

The integration of the Admin Backend with other systems goes beyond authentication. The Admin REST services are designed to be called either by a human or a computer. Unlike humans, computers can’t easily log in to a system that requires two-factor authentication. This is why the Admin provides a “Circle of Trust” REST API that allows computers to access its data without the need for a login or password, but rather by a secure exchange of keys. This feature opens new integration use cases.

The first use case for the “Circle of Trust” is the automated retrieval of user activities. Some INT customers require monitoring of user sessions to assess how much IVAAP is used. The REST API for listing user activities is straightforward to use and can be leveraged by a tool outside of IVAAP.

Another use case for the “Circle of Trust” is the automated registration of external workflows. INT customers might have hundreds of machine learning (ML) workflows that are hosted on various systems. With “Circle of Trust” credentials, the endpoints for these workflows can be registered automatically so that they appear as options to IVAAP users.

A Single SDK for Two Backends

The Admin Backend has about 200 REST services, and these services were developed with the same SDK as the Data Backend SDK. It’s the same INT developers who maintain the Data Backend that also maintains the Admin Backend, with no additional training required. It’s not just INT that benefits, but our customers benefit, too. Together, the Data Backend and the Admin Backend provide a unified experience for all Java developers customizing IVAAP servers.

Visit us online at int.com/ivaap for a preview of IVAAP or for a demo of INT’s other data visualization products. 

For more information, please visit www.int.com or contact us at intinfo@int.com.