This chapter discusses how to extend the Mobile and Social Java interfaces to add new authentication Services Providers for Mobile Services. This chapter includes the following topics:
Section 11.1, "Create a new Authentication Services Provider for Mobile Services"
Section 11.2, "Create a new Identity Service Provider for Internet Identity Services"
This section covers the following topics:
To create a custom authentication Service Provider you need to write two custom classes:
TokenService - Implement this interface first. This is a basic custom token provider that works with non-mobile applications.
MobileCompositeTokenServiceProvider - Extend this class to support mobile applications. Here you are re-purposing the custom token provider you created to support Mobile SSO. If you do not need to support mobile applications, you do not need to extend this class.
Refer to the TokenService Java documentation for details about the API to be implemented. Note that you will also need to implement the LifecycleServiceProvider and UserAuthenticator interfaces.
In the custom token provider, you must implement the createTokens() method to reuse this authentication Service Provider to support mobile clients.
When returning a Token object (under successful conditions) or throwing a RESTUnauthorizedException (under unsuccessful conditions), a PluginContext object needs to be created. This object needs to be included in the returned Token object or the thrown RESTUnauthorizedException.
Each Service Domain has a Security Handler plug-in. The Security Handler Plug-in tracks user behavior patterns and, if necessary, can issue an authentication challenge (for example, a knowledge-based authentication challenge). The OAAMSecurityHandlerPlugin is included with Mobile and Social. Oracle Adaptive Access Manager integration is required for knowledge-based authentication (KBA) challenges.
After an authentication Service Provider token operation, a Security Handler Plug-in is typically invoked. Data in this PluginContext is used to communicate with the security plug-in. If the Token object or RESTUnauthorizedException object does not contain a PluginContext object, the configured security plug-in is not invoked.
A PluginContext object is created through the PluginDataFactory API. The PluginContext API collects security data, such as the type of security event, the User ID, the client application ID, and their corresponding ID authentication status and types. Refer to the Javadocs for details.
Extend this class to reuse the custom token Service Provider to support mobile devices.
Implement the getComponentTokenServiceProviderClass() API. Refer to the following sample code:
protected Class getComponentTokenServiceProviderClass() {
return CustomTokenProvider.class;
// CustomTokenProvider is the class name you implemented. Change the name to
// the name that you used when implementing the TokenService.
}
For more information, see the Java documentation for this class.
Build the custom authentication Service Provider as follows.
Gather the oic_rest.jar file, the oic_common.jar file, and any additional JAR files needed for your custom code.
For example:
com/example/tokenprovider/MyTokenProvider.java implementing TokenService com/example/tokenprovider/MobileMyTokenProvider.java extending MobileCompositeTokenServiceProvider
Build the custom token provider.
For example:
javac -cp ./oic_rest.jar:./oic_common.jar com/example/tokenprovider/MyTokenProvider.java javac -cp ./oic_rest.jar:./oic_common.jar:. com/example/tokenprovider/MobileMyTokenProvider.java
Build the JAR file.
For example:
jar cvf mytokenpro.jar com/example/tokenprovider/*.class
Deploy the custom authentication Service Provider as follows.
Copy mytokenpro.jar to your deployment's fmwconfig/oic/plugins directory.
The JAR files here are dynamically picked up by Mobile and Social. If additional JAR files are needed for the custom Service Provider, then those files need to be available in the CLASSPATH of the container.
To configure your custom token provider from the Administration console, choose System Configuration > Mobile and Social > Mobile Services > Service Providers > Authentication Service Providers.
Create a new Service Provider, for example MyTokenProvider.
Configure your custom token Provider for mobile SSO applications.
If you implemented MobileCompositeTokenServiceProvider, from the Administration console choose System Configuration > Mobile and Social > Mobile Services > Service Providers > Authentication Service Providers.
Create a new Service Provider, for example MobileMyTokenProvider.
Configure the authentication Service instances, which use the custom token providers as defined in steps 2 and 3.
From the Administration console choose System Configuration > Mobile and Social > Mobile Services > Service Domains > Select a Service Domain > Authentication Services.
Create a new instance, for example MyTokenService.
Define an authentication service instance, which is using custom mobile token providers as defined in steps 2 and 3.
From the Administration console choose, System Configuration > Mobile and Social > Mobile Services > Service Domains > Select a Service Domain > Authentication Services.
Create a new instance, for example MobileMyAuthnService.
The custom authentication Service Providers can now be used in the deployment.
Mobile and Social provides support for the following Identity Providers: Facebook, Google, LinkedIn, Twitter, and Yahoo. You can add additional OpenID and OAuth service providers by implementing the IdentityProvider Java interface, and then use the System Administration Console to add the provider to your Mobile and Social deployment.
This section covers the following topics:
The interface has three methods:
authenticateUser() - This method initiates the process of authenticating the User with the Identity Provider. After authentication, the Identity Provider uses the Return URL sent in the authentication request to return Identity profile information to the Mobile and Social server.
There are two return URL options:
https://host.example.com:port/oic_rp/popup - Use this option if the Identity Provider login page opens in a pop-up window.
https://host.example.com:port/oic_rp /return - Use this option if the Identity Provider login page opens in the same browser window as the application's login page.
getAccessToken() - If the Identity Provider uses the OAuth protocol, the Mobile and Social server needs to get an Access Token using this method. The Mobile and Social server uses the Access Token to get a User Token.
getUserProfile() - This method gets the User profile from the Identity Provider.
Build the custom Identity Service Provider as follows.
Gather the oic_rp.jar file, the oic_common.jar file, and the j2ee.jar file.
Build the class.
For example if the Identity Provider name is XYZ:
javac -cp ./j2ee.jar:./oic_rp.jar:./oic_common.jar com/xyz/custom/idp/XYZImpl.java
Add any additional JAR files as required by your custom code.
Build the JAR file.
For example:
jar cvf xyz-idp.jar com/xyz/custom/idp/XYZImpl.class
Deploy the custom authentication Service Provider as follows. The following steps use XYZProvider as an example.
Copy xyz-idp.jar to your deployment's fmwconfig/oic/plugins directory.
The JAR files here are dynamically picked up by Mobile and Social. If additional JAR files are needed for the custom Service Provider, then those files need to be available in the CLASSPATH of the container.
To configure your custom Identity Provider from the Administration console, choose System Configuration > Mobile and Social > Internet Identity Services.
In the Internet Identity Providers section click Create to add the new Internet Identity Provider, for example XYZProvider.
Define any attributes needed under Protocol Attributes. These attributes are consumed in the custom implementation.
Define any User attributes in the User Attributes Returned section. These attributes are consumed in the custom implementation as part of the getUserProfile() method logic.
Or, instead of using the Administration console, add the following XML to oic_rp.xml:
<InternetIdentityProvider description="XYZ OAuth Provider" name="XYZProvider">
<icon>XYZ.gif</icon>
<protocolType>OAuth</protocolType>
<userAttribute>
<name>id</name>
<value>id</value>
</userAttribute>
<userAttribute>
<name>first_name</name>
<value>first_name</value>
</userAttribute>
<userAttribute>
<name>last_name</name>
<value>last_name</value>
</userAttribute>
<userAttribute>
<name>email</name>
<value>email</value>
</userAttribute>
<userAttribute>
<name>location</name>
<value>location</value>
</userAttribute>
<userAttribute>
<name>birthday</name>
<value>birthday</value>
</userAttribute>
<userAttribute>
<name>gender</name>
<value>gender</value>
</userAttribute>
<userAttribute>
<name>language</name>
<value>language</value>
</userAttribute>
<userAttribute>
<name>country</name>
<value>country</value>
</userAttribute>
<userAttribute>
<name>profile_image_url</name>
<value>profile_image_url</value>
</userAttribute>
<providerImplClass>com.xyz.custom.idp.XYZImpl</providerImplClass>
</InternetIdentityProvider>
Create or Edit the Application Profile that will use the custom Identity Provider.
For instructions, see "Editing or Creating Application Profiles" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
In the Application User Attribute Vs. Internet Identity Provider User Attributes Mapping section select XYZProvider and define the User attribute mapping.