0

How do I implement OpenConnect with Apigility to be answered with a JWT type response?

The problem is that is pretty simple to add just OAuth2, just following Apigility's documentation (or this one that's really great), but when it comes to get that JWT like the example bellow is not that easy to find documentation.

{
  "id": "394a71988caa6cc30601e43f5b6569d52cd7f6df",
  "jti": "394a71988caa6cc30601e43f5b6569d52cd7f6df",
  "iss": "issuer_id",
  "aud": "client_id",
  "sub": "user_id",
  "exp": 1483711650,
  "iat": 1483708050,
  "token_type": "bearer",
  "scope": "onescope twoscope"
}

So, this is more of an Q&A, since I haven't found it anywhere and took me almost 2 weeks to gather all the info myself, thought it would be useful to someone else.

Note that JWT comes in 3 parts:

HEADER.PAYLOAD.SIGNATURE

The first 2 come in Base64, in which you can just use, the last one is a key generated for validation. (see this for more details).

The solution will be bellow.

tworems
  • 251
  • 1
  • 3
  • 10

1 Answers1

1

If you want to add OpenConnect to the supported OAuth2 built-in Apigility so you'd get a JWT as answer, that's what you should do:

First, add these lines to /config/autoload/global.php

    'zf-oauth2' => [
        'allow_implicit'  => true,
        'access_lifetime' => 28800,
        'enforce_state'   => true,
        'options' => [
            'use_jwt_access_tokens'             => true,
            'store_encrypted_token_string'      => true,
            'use_openid_connect'                => true,
            'issuer'                            => 'issueroftoken.com',
            'id_lifetime'                       => 28800,
            'www_realm'                         => 'Service',
            'token_param_name'                  => 'access_token',
            'token_bearer_header_name'          => 'Bearer',
            'require_exact_redirect_uri'        => true,
            'allow_credentials_in_request_body' => true,
            'allow_public_clients'              => true,
            'always_issue_new_refresh_token'    => true,
            'unset_refresh_token_after_use'     => true,
        ],
    ],

The lines that matter there are use_jwt_access_tokens and use_openid_connect which must be set to true and issuer that must be filled (I added my website's address). The rest can be removed if you don't want to change their defaults.

Then you'd need to create this table (found this info here):

CREATE TABLE oauth_public_keys (
  client_id            VARCHAR(80),
  public_key           VARCHAR(2000),
  private_key          VARCHAR(2000),
  encryption_algorithm VARCHAR(100) DEFAULT 'RS256'
)

This table will be used to store the one key for each client, that you should generate by running the command (found this one here):

# private key
$ openssl genrsa -out privkey.pem 2048

# public key
$ openssl rsa -in privkey.pem -pubout -out pubkey.pem

Then you should take the content of those files and fill public_key and private_key along with the client_id.

My access tokens were being generated at oauth_access_tokens because I am using implicit type grant (no client_secret on oauth_clients and the allow_implicit flag on global.php), so I needed to increase the access_token field, you may need to check how many chars the field(s) you're using have:

ALTER TABLE `oauth_access_tokens` CHANGE `access_token` `access_token` VARCHAR(2000) NOT NULL;

That should be it! You should now be getting a JWT as an answer from Apigility!

Hope this helps.

tworems
  • 251
  • 1
  • 3
  • 10