Documentation

Using OpenID Connect

OpenID Connect is a lightweight authentication layer that enables users to authenticate using accounts they have on other systems. It’s built on top of the OAuth 2.0 authorization protocol. By using OpenID Connect, you delegate user authentication to other providers, making it easy for users with existing accounts to authenticate to your Liferay installation.

Note

You can add multiple providers to your installation, but Liferay DXP can’t be an OpenID Connect provider.

OpenID Connect’s token flow is similar to OAuth 2.0, because it’s built on top of its functionality. OAuth 2.0 is only an authorization protocol, so it sends an access token that grants access to particular APIs. OpenID Connect adds to this an identity token that passes user information like name and email, provided the user has authenticated and granted permission.

Creating a Client in OpenID Connect Provider

To use OpenID Connect, you must first register it as a client in your provider. This is an OAuth 2.0 client. The process varies by provider:

  1. Navigate to the provider’s website and create a client.

  2. During the creation process, you must supply an authorized redirect URL that can process the tokens sent from the provider. Liferay DXP’s URL is

    https://[server.domain]/c/portal/login/openidconnect
    
  3. The provider sends several pieces of information. Some of these, like the Discovery Endpoint, Authorization Endpoint, or Issuer URL are the same regardless of the client. The two pieces of information unique to your request are the client_id and the client_secret.

Collect the information from the provider. You’ll need it create the provider connection.

Configuring an OpenID Connect Provider Connection

Go to Control PanelConfigurationSystem SettingsSecuritySSO and select OpenID Connect Provider under the System Scope.

Locating OpenID configurations in the System Settings menu.

Follow these steps:

  1. Add the provider by clicking the Add button.

  2. Use the information you received from the provider to fill out the form.

Once you’ve filled out the form, click Save, and you’re ready to enable OpenID Connect authentication.

An exported configuration results in this System Settings configuration file:

com.liferay.portal.security.sso.openid.connect.internal.configuration.OpenIdConnectProviderConfiguration-[name].config

where [name] is a descriptive, but unique name for example provider1.

Enabling OpenID Connect Authentication

  1. Go to Control PanelConfigurationSystem SettingsSecuritySSO and select OpenID Connect under Virtual Instance Scope.

    Enabling OpenID Connect authentication in Instance Settings.

  2. Click the Enabled check box, and then click Save.

An exported configuration results in this System Settings configuration file:

com.liferay.portal.security.sso.openid.connect.configuration.OpenIdConnectConfiguration.config

Now users can sign in with OpenID Connect.

Signing In With OpenID Connect

A new link appears in the Sign-In Portlet for signing in with OpenID Connect:

  1. From the Sign-In Portlet, click the OpenID Connect link at the bottom.

  2. Choose a provider and click Sign In.

  3. This takes you to your provider’s sign in page. Enter your credentials and log in.

  4. Upon successful authentication, you’re redirected back to Liferay DXP in an authenticated state.