Hello,

I configured an OAuth service provider in WebSphere. Now I try to configure a OpenID Connect Relying Party accorfing to Configuring an OpenID Connect Relying Party. Now two questions arise:

How do I get the SSL signer certificate for the OAuth service provider? is this the signer certificate under "SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates"?

What is the OpenID connect provider's realm name in this case?

Thank you and kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

An OIDC RP cannot use the OAuth provider in WebSphere as an OP.  This is because the OAuth provider in WebSphere is a vanilla OAuth 2.0 OP and an OIDC RP requires an OP that is an OpenID Connect Provider. 

If you want a local OP, you can use the Liberty OP instead.  There are quick setup instructions on our examples page: https://www.ibm.com/support/pages/node/567695

Under WebSphere traditional examples, expand Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP.  There are instructions for downloading and setting up your Liberty OP and configuring the OIDC RP on your WebSphere AS to use it.  The example is using a local registry though.  You can expand Liberty to use whatever registry you want.

------------------------------
Barbara Jensen
------------------------------

Original Message:
Sent: Wed February 16, 2022 02:08 PM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello,

I configured an OAuth service provider in WebSphere. Now I try to configure a OpenID Connect Relying Party accorfing to Configuring an OpenID Connect Relying Party. Now two questions arise:

How do I get the SSL signer certificate for the OAuth service provider? is this the signer certificate under "SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates"?

What is the OpenID connect provider's realm name in this case?

Thank you and kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hello Barbara,

thank you for your answers (aso to my other post). Just one more question: Is WebSphere Liberty similar to the traditional WebSphere (e.g. can it be configured in the same way) or is this a completely differnt product?

The backgrount for my question is, that I cannot decide to switch to WebSphere Liberty, because the WebSphere is currently established at our customer. So I'd had to convince the customer to switch to WebSphere or to integrate Liberty OP in their traditional WebSphere.

------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Wed February 16, 2022 03:24 PM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

An OIDC RP cannot use the OAuth provider in WebSphere as an OP.  This is because the OAuth provider in WebSphere is a vanilla OAuth 2.0 OP and an OIDC RP requires an OP that is an OpenID Connect Provider. 

If you want a local OP, you can use the Liberty OP instead.  There are quick setup instructions on our examples page: https://www.ibm.com/support/pages/node/567695

Under WebSphere traditional examples, expand Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP.  There are instructions for downloading and setting up your Liberty OP and configuring the OIDC RP on your WebSphere AS to use it.  The example is using a local registry though.  You can expand Liberty to use whatever registry you want.

------------------------------
Barbara Jensen

Original Message:
Sent: Wed February 16, 2022 02:08 PM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello,

I configured an OAuth service provider in WebSphere. Now I try to configure a OpenID Connect Relying Party accorfing to Configuring an OpenID Connect Relying Party. Now two questions arise:

How do I get the SSL signer certificate for the OAuth service provider? is this the signer certificate under "SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates"?

What is the OpenID connect provider's realm name in this case?

Thank you and kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hi Thomas,

WebSphere Application Server is an IBM Product that provides two runtime choices, the traditional WebSphere runtime and the more modern and agile Liberty one.    Here is information in IBM Docs about how to install Liberty: https://www.ibm.com/docs/en/was-liberty/nd?topic=installing-liberty

If your customer is currently a WAS house, complete switch to Liberty takes some planning.  What I suggest is that they configure the OIDC RP on WAS, then have their OP on Liberty.  Liberty is a lightweight server, but has more functionality in most components.  Most of our team's new development goes into Liberty.  This is why there is an OIDC OP on Liberty, but not on WAS.  However, the OIDC RP is actively managed and enhanced on both platforms at this time.  

The most important part is the registry.  Since the OP only handles authentication, not authorization, so long they configure both runtimes to use the same registry, the functionality that you'd get out of the OP being on Liberty vs it being in WAS are the same.  The authorization step is done at the RP side (so this is the one that you'd want on WAS -- so it can protect the apps).  What is the target registry?

------------------------------
Barbara Jensen
------------------------------

Original Message:
Sent: Thu February 17, 2022 05:39 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello Barbara,

thank you for your answers (aso to my other post). Just one more question: Is WebSphere Liberty similar to the traditional WebSphere (e.g. can it be configured in the same way) or is this a completely differnt product?

The backgrount for my question is, that I cannot decide to switch to WebSphere Liberty, because the WebSphere is currently established at our customer. So I'd had to convince the customer to switch to WebSphere or to integrate Liberty OP in their traditional WebSphere.

------------------------------
Thomas Mayr

Original Message:
Sent: Wed February 16, 2022 03:24 PM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

An OIDC RP cannot use the OAuth provider in WebSphere as an OP.  This is because the OAuth provider in WebSphere is a vanilla OAuth 2.0 OP and an OIDC RP requires an OP that is an OpenID Connect Provider. 

If you want a local OP, you can use the Liberty OP instead.  There are quick setup instructions on our examples page: https://www.ibm.com/support/pages/node/567695

Under WebSphere traditional examples, expand Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP.  There are instructions for downloading and setting up your Liberty OP and configuring the OIDC RP on your WebSphere AS to use it.  The example is using a local registry though.  You can expand Liberty to use whatever registry you want.

------------------------------
Barbara Jensen

Original Message:
Sent: Wed February 16, 2022 02:08 PM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello,

I configured an OAuth service provider in WebSphere. Now I try to configure a OpenID Connect Relying Party accorfing to Configuring an OpenID Connect Relying Party. Now two questions arise:

How do I get the SSL signer certificate for the OAuth service provider? is this the signer certificate under "SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates"?

What is the OpenID connect provider's realm name in this case?

Thank you and kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hi Barbara,

with registry, you mean where the user credentials (username, password) and the roles are stored? This information is stored in a DB2 database used by the existing WEB application A. This application has a login form and performs the authentication and assigns the roles protecting the application pages to the loggend in user in the classic way.

Now a new WEB application B is developed, which should use the authentication (and user regisry) of application A. This means, if a user navigates to a protected page of application B it should first be redirected to the login form of application A and after succesful login it should be redirected back to the protected page of application B. The user should have access to the protected pages of application A (if authorized) without aditional login. If the user is logged out on one application it should also be logged out from the other application. So we have a classic SSO scenario.

Ideally, we can use the existing DB2 database as registry and the login form of application A as login form of the OP.

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Thu February 17, 2022 09:58 AM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hi Thomas,

WebSphere Application Server is an IBM Product that provides two runtime choices, the traditional WebSphere runtime and the more modern and agile Liberty one.    Here is information in IBM Docs about how to install Liberty: https://www.ibm.com/docs/en/was-liberty/nd?topic=installing-liberty

If your customer is currently a WAS house, complete switch to Liberty takes some planning.  What I suggest is that they configure the OIDC RP on WAS, then have their OP on Liberty.  Liberty is a lightweight server, but has more functionality in most components.  Most of our team's new development goes into Liberty.  This is why there is an OIDC OP on Liberty, but not on WAS.  However, the OIDC RP is actively managed and enhanced on both platforms at this time.  

The most important part is the registry.  Since the OP only handles authentication, not authorization, so long they configure both runtimes to use the same registry, the functionality that you'd get out of the OP being on Liberty vs it being in WAS are the same.  The authorization step is done at the RP side (so this is the one that you'd want on WAS -- so it can protect the apps).  What is the target registry?

------------------------------
Barbara Jensen

Original Message:
Sent: Thu February 17, 2022 05:39 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello Barbara,

thank you for your answers (aso to my other post). Just one more question: Is WebSphere Liberty similar to the traditional WebSphere (e.g. can it be configured in the same way) or is this a completely differnt product?

The backgrount for my question is, that I cannot decide to switch to WebSphere Liberty, because the WebSphere is currently established at our customer. So I'd had to convince the customer to switch to WebSphere or to integrate Liberty OP in their traditional WebSphere.

------------------------------
Thomas Mayr

Original Message:
Sent: Wed February 16, 2022 03:24 PM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

An OIDC RP cannot use the OAuth provider in WebSphere as an OP.  This is because the OAuth provider in WebSphere is a vanilla OAuth 2.0 OP and an OIDC RP requires an OP that is an OpenID Connect Provider. 

If you want a local OP, you can use the Liberty OP instead.  There are quick setup instructions on our examples page: https://www.ibm.com/support/pages/node/567695

Under WebSphere traditional examples, expand Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP.  There are instructions for downloading and setting up your Liberty OP and configuring the OIDC RP on your WebSphere AS to use it.  The example is using a local registry though.  You can expand Liberty to use whatever registry you want.

------------------------------
Barbara Jensen

Original Message:
Sent: Wed February 16, 2022 02:08 PM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello,

I configured an OAuth service provider in WebSphere. Now I try to configure a OpenID Connect Relying Party accorfing to Configuring an OpenID Connect Relying Party. Now two questions arise:

How do I get the SSL signer certificate for the OAuth service provider? is this the signer certificate under "SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates"?

What is the OpenID connect provider's realm name in this case?

Thank you and kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

... one mre question:

which Open Liberty package should I use for the installation on WebSphere 9? Jakarta EE 8/9 or Web Profile 8/9?

Kind regards Thomas

------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Thu February 17, 2022 10:27 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hi Barbara,

with registry, you mean where the user credentials (username, password) and the roles are stored? This information is stored in a DB2 database used by the existing WEB application A. This application has a login form and performs the authentication and assigns the roles protecting the application pages to the loggend in user in the classic way.

Now a new WEB application B is developed, which should use the authentication (and user regisry) of application A. This means, if a user navigates to a protected page of application B it should first be redirected to the login form of application A and after succesful login it should be redirected back to the protected page of application B. The user should have access to the protected pages of application A (if authorized) without aditional login. If the user is logged out on one application it should also be logged out from the other application. So we have a classic SSO scenario.

Ideally, we can use the existing DB2 database as registry and the login form of application A as login form of the OP.

Kind regards
Thomas

------------------------------
Thomas Mayr

Original Message:
Sent: Thu February 17, 2022 09:58 AM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hi Thomas,

WebSphere Application Server is an IBM Product that provides two runtime choices, the traditional WebSphere runtime and the more modern and agile Liberty one.    Here is information in IBM Docs about how to install Liberty: https://www.ibm.com/docs/en/was-liberty/nd?topic=installing-liberty

If your customer is currently a WAS house, complete switch to Liberty takes some planning.  What I suggest is that they configure the OIDC RP on WAS, then have their OP on Liberty.  Liberty is a lightweight server, but has more functionality in most components.  Most of our team's new development goes into Liberty.  This is why there is an OIDC OP on Liberty, but not on WAS.  However, the OIDC RP is actively managed and enhanced on both platforms at this time.  

The most important part is the registry.  Since the OP only handles authentication, not authorization, so long they configure both runtimes to use the same registry, the functionality that you'd get out of the OP being on Liberty vs it being in WAS are the same.  The authorization step is done at the RP side (so this is the one that you'd want on WAS -- so it can protect the apps).  What is the target registry?

------------------------------
Barbara Jensen

Original Message:
Sent: Thu February 17, 2022 05:39 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello Barbara,

thank you for your answers (aso to my other post). Just one more question: Is WebSphere Liberty similar to the traditional WebSphere (e.g. can it be configured in the same way) or is this a completely differnt product?

The backgrount for my question is, that I cannot decide to switch to WebSphere Liberty, because the WebSphere is currently established at our customer. So I'd had to convince the customer to switch to WebSphere or to integrate Liberty OP in their traditional WebSphere.

------------------------------
Thomas Mayr

Original Message:
Sent: Wed February 16, 2022 03:24 PM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

An OIDC RP cannot use the OAuth provider in WebSphere as an OP.  This is because the OAuth provider in WebSphere is a vanilla OAuth 2.0 OP and an OIDC RP requires an OP that is an OpenID Connect Provider. 

If you want a local OP, you can use the Liberty OP instead.  There are quick setup instructions on our examples page: https://www.ibm.com/support/pages/node/567695

Under WebSphere traditional examples, expand Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP.  There are instructions for downloading and setting up your Liberty OP and configuring the OIDC RP on your WebSphere AS to use it.  The example is using a local registry though.  You can expand Liberty to use whatever registry you want.

------------------------------
Barbara Jensen

Original Message:
Sent: Wed February 16, 2022 02:08 PM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello,

I configured an OAuth service provider in WebSphere. Now I try to configure a OpenID Connect Relying Party accorfing to Configuring an OpenID Connect Relying Party. Now two questions arise:

How do I get the SSL signer certificate for the OAuth service provider? is this the signer certificate under "SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates"?

What is the OpenID connect provider's realm name in this case?

Thank you and kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hello Thomas, Open Liberty doesn't install on/in WebSphere, it's a standalone server.

If you want to use Open Liberty as an OP, you either need to download the the "All GA Features" zip or any other zip and install the required features with bin/featureUtility, e.g.:

bin/featureUtility installFeature openidConnectServer-1.0

Which other zip you use depends on what else you'll run in the same server. If you don't intend to run any applications, you might start with the "kernel" download.

If you want to specifically use WebSphere Liberty as part of an existing product like WebSphere Application Server or WebSphere Application Server ND as opposed to the open source, you would be downloading the WebSphere Liberty packages here: https://www.ibm.com/support/pages/node/6550836

The first set of links include "all features". The later links would require installation like described above, with the same detail around choosing what your app requires or "kernel" as a base.

------------------------------
Eric Covener
------------------------------

Original Message:
Sent: Thu February 17, 2022 10:30 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

... one mre question:

which Open Liberty package should I use for the installation on WebSphere 9? Jakarta EE 8/9 or Web Profile 8/9?

Kind regards Thomas

------------------------------
Thomas Mayr

Original Message:
Sent: Thu February 17, 2022 10:27 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hi Barbara,

with registry, you mean where the user credentials (username, password) and the roles are stored? This information is stored in a DB2 database used by the existing WEB application A. This application has a login form and performs the authentication and assigns the roles protecting the application pages to the loggend in user in the classic way.

Now a new WEB application B is developed, which should use the authentication (and user regisry) of application A. This means, if a user navigates to a protected page of application B it should first be redirected to the login form of application A and after succesful login it should be redirected back to the protected page of application B. The user should have access to the protected pages of application A (if authorized) without aditional login. If the user is logged out on one application it should also be logged out from the other application. So we have a classic SSO scenario.

Ideally, we can use the existing DB2 database as registry and the login form of application A as login form of the OP.

Kind regards
Thomas

------------------------------
Thomas Mayr

Original Message:
Sent: Thu February 17, 2022 09:58 AM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hi Thomas,

WebSphere Application Server is an IBM Product that provides two runtime choices, the traditional WebSphere runtime and the more modern and agile Liberty one.    Here is information in IBM Docs about how to install Liberty: https://www.ibm.com/docs/en/was-liberty/nd?topic=installing-liberty

If your customer is currently a WAS house, complete switch to Liberty takes some planning.  What I suggest is that they configure the OIDC RP on WAS, then have their OP on Liberty.  Liberty is a lightweight server, but has more functionality in most components.  Most of our team's new development goes into Liberty.  This is why there is an OIDC OP on Liberty, but not on WAS.  However, the OIDC RP is actively managed and enhanced on both platforms at this time.  

The most important part is the registry.  Since the OP only handles authentication, not authorization, so long they configure both runtimes to use the same registry, the functionality that you'd get out of the OP being on Liberty vs it being in WAS are the same.  The authorization step is done at the RP side (so this is the one that you'd want on WAS -- so it can protect the apps).  What is the target registry?

------------------------------
Barbara Jensen

Original Message:
Sent: Thu February 17, 2022 05:39 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello Barbara,

thank you for your answers (aso to my other post). Just one more question: Is WebSphere Liberty similar to the traditional WebSphere (e.g. can it be configured in the same way) or is this a completely differnt product?

The backgrount for my question is, that I cannot decide to switch to WebSphere Liberty, because the WebSphere is currently established at our customer. So I'd had to convince the customer to switch to WebSphere or to integrate Liberty OP in their traditional WebSphere.

------------------------------
Thomas Mayr

Original Message:
Sent: Wed February 16, 2022 03:24 PM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

An OIDC RP cannot use the OAuth provider in WebSphere as an OP.  This is because the OAuth provider in WebSphere is a vanilla OAuth 2.0 OP and an OIDC RP requires an OP that is an OpenID Connect Provider. 

If you want a local OP, you can use the Liberty OP instead.  There are quick setup instructions on our examples page: https://www.ibm.com/support/pages/node/567695

Under WebSphere traditional examples, expand Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP.  There are instructions for downloading and setting up your Liberty OP and configuring the OIDC RP on your WebSphere AS to use it.  The example is using a local registry though.  You can expand Liberty to use whatever registry you want.

------------------------------
Barbara Jensen

Original Message:
Sent: Wed February 16, 2022 02:08 PM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello,

I configured an OAuth service provider in WebSphere. Now I try to configure a OpenID Connect Relying Party accorfing to Configuring an OpenID Connect Relying Party. Now two questions arise:

How do I get the SSL signer certificate for the OAuth service provider? is this the signer certificate under "SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates"?

What is the OpenID connect provider's realm name in this case?

Thank you and kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hello Eric,

thank's for the download link. I downloaded meanwhile the package wlp-webProfile9-22.0.0.2.zip from https://www.ibm.com/support/pages/websphere-liberty-developers. I want to install liberty on a traditional WebSphere application serer, version 9.0.5.10. I'd like to configure an OpenID Connect Provider. and an OpenID Connect Relying Party for SSO between two applications deployed on this WebSphere. I'll try to configure this as described under "Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP" on the page Examples: OpenID Connect, Liberty and WebSphere traditional. In these instructions the package wlp-webProfile8-19.0.0.7.zip is used.

So I'm not sure if I should use Web Profile 8 (Liberty with Java EE 8 Web Profile) or 9 (Liberty with Jakarta EE 9 Web Profile).

Kind regards
Thomas



------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Thu February 17, 2022 03:41 PM
From: Eric Covener
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello Thomas, Open Liberty doesn't install on/in WebSphere, it's a standalone server.

If you want to use Open Liberty as an OP, you either need to download the the "All GA Features" zip or any other zip and install the required features with bin/featureUtility, e.g.:

bin/featureUtility installFeature openidConnectServer-1.0

Which other zip you use depends on what else you'll run in the same server. If you don't intend to run any applications, you might start with the "kernel" download.

If you want to specifically use WebSphere Liberty as part of an existing product like WebSphere Application Server or WebSphere Application Server ND as opposed to the open source, you would be downloading the WebSphere Liberty packages here: https://www.ibm.com/support/pages/node/6550836

The first set of links include "all features". The later links would require installation like described above, with the same detail around choosing what your app requires or "kernel" as a base.

------------------------------
Eric Covener

Original Message:
Sent: Thu February 17, 2022 10:30 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

... one mre question:

which Open Liberty package should I use for the installation on WebSphere 9? Jakarta EE 8/9 or Web Profile 8/9?

Kind regards Thomas

------------------------------
Thomas Mayr

Original Message:
Sent: Thu February 17, 2022 10:27 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hi Barbara,

with registry, you mean where the user credentials (username, password) and the roles are stored? This information is stored in a DB2 database used by the existing WEB application A. This application has a login form and performs the authentication and assigns the roles protecting the application pages to the loggend in user in the classic way.

Now a new WEB application B is developed, which should use the authentication (and user regisry) of application A. This means, if a user navigates to a protected page of application B it should first be redirected to the login form of application A and after succesful login it should be redirected back to the protected page of application B. The user should have access to the protected pages of application A (if authorized) without aditional login. If the user is logged out on one application it should also be logged out from the other application. So we have a classic SSO scenario.

Ideally, we can use the existing DB2 database as registry and the login form of application A as login form of the OP.

Kind regards
Thomas

------------------------------
Thomas Mayr

Original Message:
Sent: Thu February 17, 2022 09:58 AM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hi Thomas,

WebSphere Application Server is an IBM Product that provides two runtime choices, the traditional WebSphere runtime and the more modern and agile Liberty one.    Here is information in IBM Docs about how to install Liberty: https://www.ibm.com/docs/en/was-liberty/nd?topic=installing-liberty

If your customer is currently a WAS house, complete switch to Liberty takes some planning.  What I suggest is that they configure the OIDC RP on WAS, then have their OP on Liberty.  Liberty is a lightweight server, but has more functionality in most components.  Most of our team's new development goes into Liberty.  This is why there is an OIDC OP on Liberty, but not on WAS.  However, the OIDC RP is actively managed and enhanced on both platforms at this time.  

The most important part is the registry.  Since the OP only handles authentication, not authorization, so long they configure both runtimes to use the same registry, the functionality that you'd get out of the OP being on Liberty vs it being in WAS are the same.  The authorization step is done at the RP side (so this is the one that you'd want on WAS -- so it can protect the apps).  What is the target registry?

------------------------------
Barbara Jensen

Original Message:
Sent: Thu February 17, 2022 05:39 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello Barbara,

thank you for your answers (aso to my other post). Just one more question: Is WebSphere Liberty similar to the traditional WebSphere (e.g. can it be configured in the same way) or is this a completely differnt product?

The backgrount for my question is, that I cannot decide to switch to WebSphere Liberty, because the WebSphere is currently established at our customer. So I'd had to convince the customer to switch to WebSphere or to integrate Liberty OP in their traditional WebSphere.

------------------------------
Thomas Mayr

Original Message:
Sent: Wed February 16, 2022 03:24 PM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

An OIDC RP cannot use the OAuth provider in WebSphere as an OP.  This is because the OAuth provider in WebSphere is a vanilla OAuth 2.0 OP and an OIDC RP requires an OP that is an OpenID Connect Provider. 

If you want a local OP, you can use the Liberty OP instead.  There are quick setup instructions on our examples page: https://www.ibm.com/support/pages/node/567695

Under WebSphere traditional examples, expand Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP.  There are instructions for downloading and setting up your Liberty OP and configuring the OIDC RP on your WebSphere AS to use it.  The example is using a local registry though.  You can expand Liberty to use whatever registry you want.

------------------------------
Barbara Jensen

Original Message:
Sent: Wed February 16, 2022 02:08 PM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello,

I configured an OAuth service provider in WebSphere. Now I try to configure a OpenID Connect Relying Party accorfing to Configuring an OpenID Connect Relying Party. Now two questions arise:

How do I get the SSL signer certificate for the OAuth service provider? is this the signer certificate under "SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates"?

What is the OpenID connect provider's realm name in this case?

Thank you and kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

> I want to install liberty on a traditional WebSphere application serer

Liberty is its own independent installation. It doesn't install into/onto another application.

> So I'm not sure if I should use Web Profile 8 (Liberty with Java EE 8 Web Profile) or 9 (Liberty with Jakarta EE 9 Web Profile).

If you aren't deploying your own enterprise app to Liberty, it doesn't matter. Use the latter.

------------------------------
Eric Covener
------------------------------

Original Message:
Sent: Mon February 21, 2022 08:44 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello Eric,

thank's for the download link. I downloaded meanwhile the package wlp-webProfile9-22.0.0.2.zip from https://www.ibm.com/support/pages/websphere-liberty-developers. I want to install liberty on a traditional WebSphere application serer, version 9.0.5.10. I'd like to configure an OpenID Connect Provider. and an OpenID Connect Relying Party for SSO between two applications deployed on this WebSphere. I'll try to configure this as described under "Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP" on the page Examples: OpenID Connect, Liberty and WebSphere traditional. In these instructions the package wlp-webProfile8-19.0.0.7.zip is used.

So I'm not sure if I should use Web Profile 8 (Liberty with Java EE 8 Web Profile) or 9 (Liberty with Jakarta EE 9 Web Profile).

Kind regards
Thomas



------------------------------
Thomas Mayr

Original Message:
Sent: Thu February 17, 2022 03:41 PM
From: Eric Covener
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello Thomas, Open Liberty doesn't install on/in WebSphere, it's a standalone server.

If you want to use Open Liberty as an OP, you either need to download the the "All GA Features" zip or any other zip and install the required features with bin/featureUtility, e.g.:

bin/featureUtility installFeature openidConnectServer-1.0

Which other zip you use depends on what else you'll run in the same server. If you don't intend to run any applications, you might start with the "kernel" download.

If you want to specifically use WebSphere Liberty as part of an existing product like WebSphere Application Server or WebSphere Application Server ND as opposed to the open source, you would be downloading the WebSphere Liberty packages here: https://www.ibm.com/support/pages/node/6550836

The first set of links include "all features". The later links would require installation like described above, with the same detail around choosing what your app requires or "kernel" as a base.

------------------------------
Eric Covener

Original Message:
Sent: Thu February 17, 2022 10:30 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

... one mre question:

which Open Liberty package should I use for the installation on WebSphere 9? Jakarta EE 8/9 or Web Profile 8/9?

Kind regards Thomas

------------------------------
Thomas Mayr

Original Message:
Sent: Thu February 17, 2022 10:27 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hi Barbara,

with registry, you mean where the user credentials (username, password) and the roles are stored? This information is stored in a DB2 database used by the existing WEB application A. This application has a login form and performs the authentication and assigns the roles protecting the application pages to the loggend in user in the classic way.

Now a new WEB application B is developed, which should use the authentication (and user regisry) of application A. This means, if a user navigates to a protected page of application B it should first be redirected to the login form of application A and after succesful login it should be redirected back to the protected page of application B. The user should have access to the protected pages of application A (if authorized) without aditional login. If the user is logged out on one application it should also be logged out from the other application. So we have a classic SSO scenario.

Ideally, we can use the existing DB2 database as registry and the login form of application A as login form of the OP.

Kind regards
Thomas

------------------------------
Thomas Mayr

Original Message:
Sent: Thu February 17, 2022 09:58 AM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hi Thomas,

WebSphere Application Server is an IBM Product that provides two runtime choices, the traditional WebSphere runtime and the more modern and agile Liberty one.    Here is information in IBM Docs about how to install Liberty: https://www.ibm.com/docs/en/was-liberty/nd?topic=installing-liberty

If your customer is currently a WAS house, complete switch to Liberty takes some planning.  What I suggest is that they configure the OIDC RP on WAS, then have their OP on Liberty.  Liberty is a lightweight server, but has more functionality in most components.  Most of our team's new development goes into Liberty.  This is why there is an OIDC OP on Liberty, but not on WAS.  However, the OIDC RP is actively managed and enhanced on both platforms at this time.  

The most important part is the registry.  Since the OP only handles authentication, not authorization, so long they configure both runtimes to use the same registry, the functionality that you'd get out of the OP being on Liberty vs it being in WAS are the same.  The authorization step is done at the RP side (so this is the one that you'd want on WAS -- so it can protect the apps).  What is the target registry?

------------------------------
Barbara Jensen

Original Message:
Sent: Thu February 17, 2022 05:39 AM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello Barbara,

thank you for your answers (aso to my other post). Just one more question: Is WebSphere Liberty similar to the traditional WebSphere (e.g. can it be configured in the same way) or is this a completely differnt product?

The backgrount for my question is, that I cannot decide to switch to WebSphere Liberty, because the WebSphere is currently established at our customer. So I'd had to convince the customer to switch to WebSphere or to integrate Liberty OP in their traditional WebSphere.

------------------------------
Thomas Mayr

Original Message:
Sent: Wed February 16, 2022 03:24 PM
From: Barbara Jensen
Subject: Configure OpenID Connect Relying Party for OAuth service provider

An OIDC RP cannot use the OAuth provider in WebSphere as an OP.  This is because the OAuth provider in WebSphere is a vanilla OAuth 2.0 OP and an OIDC RP requires an OP that is an OpenID Connect Provider. 

If you want a local OP, you can use the Liberty OP instead.  There are quick setup instructions on our examples page: https://www.ibm.com/support/pages/node/567695

Under WebSphere traditional examples, expand Setting up the WebSphere traditional OIDC RP TAI to use a Liberty OP.  There are instructions for downloading and setting up your Liberty OP and configuring the OIDC RP on your WebSphere AS to use it.  The example is using a local registry though.  You can expand Liberty to use whatever registry you want.

------------------------------
Barbara Jensen

Original Message:
Sent: Wed February 16, 2022 02:08 PM
From: Thomas Mayr
Subject: Configure OpenID Connect Relying Party for OAuth service provider

Hello,

I configured an OAuth service provider in WebSphere. Now I try to configure a OpenID Connect Relying Party accorfing to Configuring an OpenID Connect Relying Party. Now two questions arise:

How do I get the SSL signer certificate for the OAuth service provider? is this the signer certificate under "SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates"?

What is the OpenID connect provider's realm name in this case?

Thank you and kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------