Skip to main content

OpenID Dumb Mode Consumer with OpenID4Java

A dumb mode consumer or a stateless consumer is an openid assertion consumer which is not capable or which is not willing to create associations with the openid provider Association is the the process of sharing a cryptographic secretes between the openid provider and the relying party. This shared secrete is used by the openid provider to sing the messages it sends to the relying party and the relying party uses the shared secrete to verify the signature of the messages. Singing messages is important to make sure the intergirty and the authenticity of the message. Assertion consumers should only trust signature verified assertions, if not they should discard the assertions. Smart consumers verify the messages sent by the openid provider using the pre shared secrete. Since dumb consumers have no pre shared secrete, they will verify messages with the help of the openid provider by sending a "check_authentication" message.
Sequence of operations for a dumb consumer
  1. User logins with the openid identifier
  2. Consumer does a discovery based on the user supplied identifier
  3. Consumer creates the AuthRequest message
  4. Consumer redirect the browser to the openid provider
  5. User is authenticated at the openid provider and redirect back to the consumer with an AuthResponse message
  6. Openid provider verifies the AuthResponse message with the help of the openid provider.
To experience the operation of the dumb mode consumer, you can download and run the demo application war file in Apache Tomcat. The source code of the application is available here. Use maven2 to build the project. Deploy the war file in Apache Tomcat and access the link http://localhost:8080/openid-dumb-consumer-app/

  • Instantiating a ConsumerManager object
ConsumerManager dumbManager = new ConsumerManager();
  • Switching the consumer manager to the dumb mode
  • Performing discovery on the user supplied openid identifier
List discoveries =;
  • Creating the DiscoveryInformation object
DiscoveryInformation discovered = dumbManager.associate(discoveries);
Note that by default the consumer manager works in the smart mode and will take four attempts to create an association with the openid provider. Since we have set the number of attempts to zero, the method returns only the DiscoveryInformation object and would make no association though the name of the method is "associate".
  • Creating the AuthRequest message
AuthRequest authRequest = dumbManager.authenticate(discovered, returnToUrl);
The returnToUrl value must be the URL of the consumer.
String returnToUrl = httpRequest.getRequestURL().toString();
  • Redirecting the user to the openid provider
  • Capturing the AuthResponse message
Map httpReqParams = httpRequest.getParameterMap();
ParameterList authRespParams = new ParameterList(httpReqParams);
  • Verifying the AuthResponse
VerificationResult result = dumbManager.verify(receivingUrl, authRespParams, discovered);
Identifier verifiedId = result.getVerifiedId();
Note that verifiedId will be null if the verification failed. This verification is done with the help of the openid provider.

Popular posts from this blog

How To Read A SAML 2.0 Response With OpenSAML

This blog post provides step by step to read a SAML Response message sent by the Identity Provider in a SAML 2.0 Single Sign On environment. I'm using the Java OpenSAML 2.2.3 library.

Fetching the SAML Response message from the HttpServletRequest

According to the SAML 2.0 Bindings specification, the Identity Provider MUST send the SAML Response with the parameter name "SAMLResponse".
String responseMessage = httpServletRequest.getParameter("SAMLResponse");
Base64 Decode the response

byte[] base64DecodedResponse = Base64.decode(responseMessage);
Unmarshalling the response

First we need to create a DOM Element object out of the response string.
ByteArrayInputStream is = new ByteArrayInputStream(base64DecodedResponse); DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder(); Document document = docBuilder.parse(is); El…

Exporting The Private Key Of A JKS As A PEM File

This is indeed a frequent use case  but the Java Keytool doesn't provide an easy way to get this done. I came across this requirement when I was configuring the Apache2 as a proxy to balance the load between WSO2 Identity Server nodes.

Lets say you have a JKS type keystore (say wso2carbon.jks) with your private key in it.

Step 1 : Convert the JKS into to a P12
keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12
Step 2 : Export the Private Key as a PEM file
openssl pkcs12 -in server.p12 -out server.pem The server.pem file is the Private Key certificate exported.

Step 3 : Exporting the Certificate
openssl x509 -outform der -in server.pem -out server.crt The server.crt file is the Public Key certificate exported.

Now you can use these two files when configuring Apache2 as,

SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.pem

How To Enable SSL Debugging In Tomcat

When you develop web applications SSL issues are encountered very often. So it is better if we can enable SSL debugging at Tomcat level. To get this done all you need to do is to add the following Java system property to the file which can be found in the [tomcat-home]/bin/ path. \
Where to put this line in depends on how you run the catalina file. For example if you are using the command, sh run then you have to put this line run code as bellow,
elif [ "$1" = "run" ]; then shift if [ "$1" = "-security" ] ; then if [ $have_tty -eq 1 ]; then echo "Using Security Manager" fi shift exec "$_RUNJAVA" "$LOGGING_CONFIG" $JAVA_OPTS $CATALINA_OPTS \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ \"$CATALINA_BASE"/conf/ca…