Demonstrating a Single-Page App With OIDC-Based SSO

Author:

Sheila Albertelli

Created at:

Mar 2019

Updated at:

Oct 2022

Written by Marc Craig

Summary

Instructions for demonstrating a single-page app with OIDC-based SSO.

Using OIDC to Build an SSO Client for Your REST APIs explained why you want standards-based single sign-on (SSO) for your web clients.

ForgeRock shows how to implement OpenID Connect (OIDC)-based SSO in your single-page app. ForgeRock provides a sample application that demonstrates login and logout. The sample application is a public client that protects its access to the OAuth 2.0 authorization code and its access tokens from third parties with HTTPS and Proof Key for Code Exchange (PKCE). This article walks you through a demonstration of the sample application’s features. It uses the ForgeRock Identity Platform running on your computer to provide the standard services.

Running the ForgeRock Identity Platform

The demonstration in this article depends on the 6.5 release of the ForgeRock Identity Platform. The ForgeRock platform assets for Kubernetes deployments are defined in a git repository called forgeops. The forgeops assets let you run the platform in minikube on your computer, or in a Kubernetes-based cloud platform. This article assumes you want to try the sample on your computer with minikube.

The setup process builds the following layers, starting from the bottom and working up:

image

Follow these steps to build the bottom three layers:

  1. Install third-party software for Kubernetes support:

  1. Clone the following git repositories:

Clone at least the forgeops and forgeops-init repositories into the same directory. The code in the forgeops-init repository relies on the relative location of the forgeops repository.

  1. Use the 6.5 forgeops artifacts:

cd forgeops
git checkout release/6.5.1

  1. Follow the README for the 6.5 branch of the Platform OAuth2 Sample.

At the end of this part of the setup process, verify that you have completed all steps successfully. For example, log in to the end user UI as user.0:`password` to view the user’s profile page. Start by visiting the end user UI login page, ignoring certificate validation errors if you have not trusted the test CA certificate, google-chrome --ignore-certificate-errors https://end-user-ui.sample.forgeops.com/:

https://backstage-community-prod.storage.googleapis.com/original/2X/8/842bfd00c9c3f5abef800c0a59323c1914555c4c

This shows that you have successfully deployed the ForgeRock Identity Platform 6.5 in minikube.

Running the Sample Application

The sample application under exampleOAuth2Clients/openidm-ui-enduser-appauth uses two JavaScript libraries:

appauthhelper

Simplifies PKCE for handling the initial login redirection and token acquisition. Helps establish a session by providing valid access and ID tokens in your browser’s session storage.

oidcsessioncheck

Helps the application acting as an OpenID Relying Party (RP) associate its local session with the OpenID Provider (OP).

Together, the libraries facilitate OIDC-based SSO.

The sample application is open source software. ForgeRock would like to know how you use it.

ForgeRock welcomes your PRs, bug reports and requests for enhancements on GitHub at GitHub - ForgeRock/exampleOAuth2Clients: Example OAuth2 clients for standards-based profile management.

To run the sample application, follow these steps:

  1. Check out the 6.5 version of the sample application code:

git checkout -b 6.5 -t origin/6.5

  1. Switch to the exampleOAuth2Clients/openidm-ui-enduser-appauth directory.

  2. Review the sample code in index.html and related files. You can see how the single-page app uses the AppAuthHelper and SessionCheck modules to get the tokens and to check for an invalid session, as would happen after logout.

  3. Register the application as an RP with ForgeRock Access Management deployed in minikube:

curl -k 'https://login.sample.forgeops.com/json/realms/root/realm-config/agents/OAuth2Client/appAuthClient' \
 -X PUT --data '{
     "coreOAuth2ClientConfig": {
         "redirectionUris": [
             "http://localhost:18888/appAuthHelperRedirect.html",
             "http://localhost:18888/sessionCheck.html"
         ],
         "scopes": [
             "openid",
             "profile",
             "profile_update",
             "consent_read",
             "workflow_tasks",
             "notifications"
         ],
         "grantTypes": [
             "authorization_code",
             "implicit"
         ],
         "isConsentImplied": true,
         "clientType": "Public",
         "tokenEndpointAuthMethod": "client_secret_post"
     }
 }' \
 -H 'Content-Type: application/json' -H 'Accept: application/json' \
 -H 'Cookie: iPlanetDirectoryPro='$( \
     curl -k 'https://login.sample.forgeops.com/json/realms/root/authenticate' \
     -X POST \
     -H 'X-OpenAM-Username:amadmin' \
     -H 'X-OpenAM-Password:password' \
     | sed -e 's/^.*"tokenId":"\([^"]*\)".*$/\1/' \
 )

The response is a JSON resource indicating successful registration. Key fields:

{"_id":"appAuthClient", "_type":{"_id":"OAuth2Client","name":"OAuth2 Clients","collection":true}}

  1. Install the JavaScript library dependencies:

npm i oidcsessioncheck appauthhelper

  1. Serve the files through an HTTP server on your computer:

http-server -p 18888

  1. View the page in your browser:

https://backstage-community-prod.storage.googleapis.com/original/2X/2/21393d8e02065b29fcd0a8e4abe71e7a37ddc11d

Demonstrating Sample Application Features

Once the ForgeRock Identity Platform and sample application are running together, you can demonstrate the features.

Use of the JavaScript Libraries

To see the JavaScript libraries in use and the messages exchanged, use the browser’s developer tools.

When logging in, you can see the appauthhelper library in action:

https://backstage-community-prod.storage.googleapis.com/original/2X/5/5f40816677a9768235469cf6d49e4933f43fd2d7

When clicking within a page, you can see the oidcsessioncheck in use:

https://backstage-community-prod.storage.googleapis.com/original/2X/6/6cf42e8e7557f91809306189bf21ab3b85bcc631

Single Sign-On

To demonstrate SSO after you log in through the sample application, open another browser tab to access the AM console, https://login.sample.forgeops.com/.

Notice that you automatically see the profile page without further login:

https://backstage-community-prod.storage.googleapis.com/original/2X/e/e7d1d3df2be5a53f64e3af6de3dadbc80409d77c

Single Log Out

To demonstrate single logout, select the Log Out option in the AM console:

https://backstage-community-prod.storage.googleapis.com/original/2X/8/846a24e8841e378aa54bcc9e1faa2c39d61e0eff

The AM console shows you are logged out:

https://backstage-community-prod.storage.googleapis.com/original/2X/a/ab07fd2df804170ff17443a8e6772172f48d6b29

Switch to the sample application tab and click something. The sample application finds the session is invalid, and logs you out there, too:

https://backstage-community-prod.storage.googleapis.com/original/2X/e/ee6b242b8a81a88472f556276630645d0afb5c43

Further Reading

  • A full description of the sample application is in the README.

  • The documentation about forgeops and the related deployment models is published on ForgeRock BackStage. The first document to read is Start Here.

  • For more information about the ForgeRock Identity Platform, see the ForgeRock Identity Platform page.