How to setup the HTTP API for OpenID Connect UserInfo

Prerequisites

- PAS 3.0 installed

- The PhenixID OIDC token endpoint must have returned an access_token, which value is bound to the session as an alias.

- User information must have been stored in the session during authentication (using session* valves in the pipe). Consult the valves documentation for usage examples.

Add local http-api module

- Login to configuration manager

- Click the Advanced tab

- Open Modules (click on the pen)

- Add this module (if module is already added, only add tenant and/or allowedOperation):

{
		"module": "com.phenixidentity~phenix-api-authenticate",
		"enabled": "true",
		"config": {
			"tenant": [
				{
					"id": "t1",
					"displayName": "Tenant1",
					"allowedOperation": [
						"userinfo"
					]
}
			]
		},
		"id": "authapi_module"
	}

- Click Stage Changes and Commit Changes

- Open NODE_GROUPS (click on the pen)

- Add id of the newly added module to module_refs. Example below. (You can skip this step if the module was already added)

{
		"name": "WIN-DHB3ICNDG4E",
		"description": "Default node (created automatically)",
		"config": {
			"module_refs": "authapi_module,sealapp,signapp_1,......"
		},
		"created": "2017-07-03T11:38:03.135Z",
		"id": "493afd0e-0fe8-40e4-b1a1-a24a5e2df6e2",
		"modified": "2017-07-03T14:39:43.257Z"
	}

- Click Stage Changes and Commit Changes

 

Add pipes to retrieve UserInfo

In this example, no client certificate is used. Please read the Valves documentation on how to configure a client certificate to the pipe.

- Click the Advanced tab

- Open Pipes (click on the pen)

- Add this pipe.

{
		"id": "userinfo",
		"valves": [
			{
                "name": "ItemCreateValve",
                "config": {
                    "dest_id": "userinfo_props"
                }
            },
            {
                "name": "PropertyAddValve",
                "config": {
                    "name": "authorization",
                    "value": "{{request.Authorization}}"
                }
            },
            {
                "name": "PropertyReplaceValve",
                "config": {
                    "source": "authorization",
                    "dest": "access_token",
                    "token": "Bearer ",
                    "replacement": ""
                }
            },
            {
                "name": "SessionResolveValve",
                "config": {
                    "alias": "{{item.access_token}}",
                    "require_session": "true",
                    "require_auth_session": "false"
                }
            },
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "name",
					"value": "{{session.name}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "given_name",
					"value": "{{session.givenName}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "family_name",
					"value": "{{session.sn}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "email",
					"value": "{{session.mail}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "phone_number",
					"value": "{{session.mobile}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "sub",
					"value": "{{session.user_id}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "employee_role",
					"value": "{{session.role}}"
				}
			},{
        "name": "PropertyRemoveValve",
        "config": { 
              "name":"access_token,authorization"
        }
}
		],
		"created": "2017-11-13T09:53:46.595Z"
	}

- Remove / add claims above to suite your environment

- Change claim-name - session attribute name mapping to suite your environment

- If additional SQL / LDAP lookups should be performed, please consult the valves documentation to add such lookups.

- Click Stage Changes and Commit Changes

[OPTIONAL] Add UserInfo endpoint to OIDC Discovery data

- Click the Advanced tab

- Click OIDC_OP

- Locate the OP configuration

- Add the UserInfo endpoint by adding the config parameter userinfo_endpoint with a value pointing to the pipe previously added. Also, add the tenant ID to the URL. 

"userinfo_endpoint" : "https://<PAS_SERVER>/api/authentication/userinfo?tenant=<TENANT_ID>",


FULL EXAMPLE:
{
        "id": "oidc_otp",
        "tenant": "oidc_otp",
        "guide_ref": "guides.authentication.oidc.uidpwdsms",
        "config": {
            "authorization_endpoint": "https://demo.phenixid.net/oidc/authenticate/oidc_otp",
            "userinfo_endpoint": "https://demo.phenixid.net/api/authentication/userinfo?tenant=oidc_otp",
            "issuer": "https://demo.phenixid.net/oidc_otp",
            "token_endpoint": "https://demo.phenixid.net/api/authentication/2a4b03b4-7073-4728-9149-6bb7409187e7?tenant=oidc_otp",
            "jwks_uri": "https://demo.phenixid.net/oidc_otp/.well-known/openid-configuration/jwks",
            "response_types_supported": [
                "code"
            ],
            "grant_types_supported": [
                "authorization_code"
            ],
            "subject_types_supported": [
                "public"
            ],
            "id_token_signing_alg_values_supported": [
                "RS256"
            ],
            "scopes_supported": [
                "openid"
            ],
            "token_endpoint_auth_methods_supported": [
                "none"
            ],
            "claims_supported": [
                "iss",
                "ver",
                "sub",
                "given_name",
                "family_name"
            ],
            "end_session_endpoint": "https://demo.phenixid.net/oidc/authenticate/logout/",
            "request_parameter_supported": "true",
            "signStore": "956bee24-98f0-41a5-9e27-76f8c89d1e1d"
        },
        "created": "2019-10-21T07:59:30.621Z"
    }



Test

Use a HTTP rest client for testing and debugging. Follow the document Using PhenixID HTTP API for UserInfo to structure the HTTP requests properly.