When trying to configure Social Authentication with OpenAM 12 you may notice that out of the box OpenAM only supports Microsoft, Google and Facebook. The reasoning behind this is that at the time of the implementation these providers supported OpenID Connect (well Facebook supports Facebook Connect, but that’s close enough). In case you would like to set up social authentication with other providers then that is still possible, but a bit tricky. In this article I’m going to try to show how social authentication can be configured for example with LinkedIn (that currently only supports OAuth2, not OIDC).
Create an OAuth2 app at LinkedIn
In order to be able to obtain OAuth2 access tokens from LinkedIn, you will need to register your OpenAM as a LinkedIn application by filling out some silly forms. The second page of this wizard gets a bit more interesting, so here are a couple of things that you should do:
- Take a note of the Client ID and Client Secret displayed.
- Make sure that OpenAM’s Redirect URI is added as a valid OAuth 2.0 Authorized Redirect URLs, by default that would look something like:
http://openam.example.com:8080/openam/oauth2c/OAuthProxy.jsp
Configure OpenAM for Social authentication
To simply configure LinkedIn for OAuth2 based authentication, you just need to create a new authentication module instance with OAuth 2.0 / OpenID Connect type. With ssoadm that would look something like:
$ openam/bin/ssoadm create-auth-instance -e / -m linkedin -t OAuth -u amadmin -f .pass
This just configures an OAuth2 authentication module with the default settings, so now let’s update those settings to actually match up with LinkedIn:
$ openam/bin/ssoadm update-auth-instance -e / -m linkedin -u amadmin -f .pass -D linkedin.properties
Where linkedin.properties contains:
iplanet-am-auth-oauth-client-id= iplanet-am-auth-oauth-client-secret= iplanet-am-auth-oauth-auth-service=https://www.linkedin.com/uas/oauth2/authorization iplanet-am-auth-oauth-token-service=https://www.linkedin.com/uas/oauth2/accessToken iplanet-am-auth-oauth-scope=r_basicprofile iplanet-am-auth-oauth-user-profile-service=https://api.linkedin.com/v1/people/~?format=json org-forgerock-auth-oauth-account-mapper-configuration=id=uid org-forgerock-auth-oauth-attribute-mapper-configuration=lastName=sn org-forgerock-auth-oauth-attribute-mapper-configuration=firstName=givenName org-forgerock-auth-oauth-attribute-mapper-configuration=id=uid org-forgerock-auth-oauth-prompt-password-flag=false
At this stage you should be able to authenticate with LinkedIn by simply opening up /openam/XUI/#login/&module=linkedin .
To set up this OAuth2 module for social authentication you just need to do a few more things:
Add the authentication module to a chain (social authentication uses authentication chains to allow more complex authentication flows):
$ openam/bin/ssoadm create-auth-cfg -e / -m linkedinChain -u amadmin -f .pass $ openam/bin/ssoadm add-auth-cfg-entr -e / -m linkedinChain -o linkedin -c REQUIRED -u amadmin -f .pass
Now to enable the actual social authentication icon on the login pages, just add the Social authentication service to your realm:
$ openam/bin/ssoadm add-svc-realm -e / -s socialAuthNService -u amadmin -f .pass -D social.txt
Where social.txt contains:
socialAuthNDisplayName=[LinkedIn]=LinkedIn socialAuthNAuthChain=[LinkedIn]=linkedinChain socialAuthNIcon=[LinkedIn]=https://static.licdn.com/scds/common/u/images/logos/linkedin/logo_in_nav_44x36.png socialAuthNEnabled=LinkedIn
Please keep in mind that OAuth2 is primarily for authorization purposes, for authentication you should really utilize OpenID Connect as a protocol. As the social authentication implementation is quite generic, actually you should be able to configure any kind of authentication mechanism and display it with a pretty logo on the login page if you’d like.
Some links I’ve found useful when writing up this post:
OpenAM 12 – Social Authentication
LinkedIn OAuth2 docs
LinkedIn REST API
This blog post was first published @ http://blogs.forgerock.org/petermajor/, included here with permission.
Comments are closed.
Thanks. Very useful !
Hi Peter,
Thanks for you posting, Its working pretty fine… and very easy to follow…
If I login to OpenAM by using Likedin associated email
“user1@example.com” for the first time to the specific realm … its creating a new account in OpenAM based on teh UID (Random ID provided linked Oauth scope) though I have the same email to another user
Thanks
Sai