Skip to content

Latest commit

 

History

History

relying-party-spring-boot

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
docker
docker
 
 
src/main
src/main
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
pom.xml
pom.xml
 
 

README.md

SPID CIE OIDC Relying Party Example Project with SpringBoot and Java

This project showcases the relying party.

Requirements:

How to run

Run the provider federation

Clone this repository and install all the elements inside the MavenLocal registry

git clone https://github.com/italia/spid-cie-oidc-java

cd spid-cie-oidc-java

./mvnw clean install

Start the spring boot example

cd examples/relying-party-spring-boot
../../mvnw clean spring-boot:run

this will start the relying party server on http://127.0.0.1:8080, keep it running

Do the on-boarding process

  • generate the relying party jwks
    • go here to auto-generate it
    • federation jwks and core jwks are exposed on the page and inside application log
    • create the file ${user.home}/oidc-rp-jwk.json with the federation jwks
    • create the file ${user.home}/oidc-rp-core-jwk.json with the core jwks
      • use "reload" link to proceed with next step
  • show on-boarding datas
  • register the relying party here
    • set "name", "sub" and "jwks" with values shown in previous step
    • set isActive to true
  • create new profile here
    • set this relying party as Descendant
    • set "SPID Public SP" as Profile
    • set the Federation Entity as Issuer
  • after creation you review the profiles
    • copy trust_marks and save as ${user.home}/oidc-rp-trust-marks.json
    • trust_marks are exposed as JSONObject you have to store it as JSONArray (put [ ] around it)
  • complete relying party on-boarding
    • go here
    • user "reload" link to acquire trust marks
    • go here and verify trust_marks are exposed

Visit http://127.0.0.1:8080/oidc/rp/landing to try out the application

Docker

With docker we cannot use "127.0.0.1". Before proceed add this line to your hosts file

127.0.0.1   trust-anchor.org relying-party.org cie-provider.org

A docker image containing this example can be built a run:

  • docker-compose up
  • visit http://relying-party.org:8080/

Some hints:

  • we are using federation v1.4.0
  • docker images currently sets a proxy of the exposed ports on the localhost interface, so you could use previous chapter instructions replacing 127.0.0.1 with the right hostname
  • docker image mounts the folder ./docker/data-java as /data inside spring-boot container to externalize federation and core jwks and trust-marks configuration

Docker Compose in action on YouTube

To be onboarded into CIE Federation:

  • use always appropriate and valid TLS Certificates
  • use IP from Italian networks for your server [CIE Federation preproduction servers are using geoblocking]
  • as contact use the same institutional email address as stated into the administrative part [do not use PEC]
  • when copy the federation public key please follow this pattern: 
    • {
"keys": [
    {
      "alg": "RS256",
      "kid": "....",
      "kty": "RSA",
      "n": ".....",
      "e": "AQAB",
      "use": "sig"
    }
  ]
}
  • when onboarded, please retrieve the Trust Mark form TA fetch endpoint like this example for preproduction: https://preprod.oidc.registry.servizicie.interno.gov.it/fetch?sub={your_client_id}
  • remember to (put [ ] around the Trust Mark when writing the appropriate file
  • iat and exp claims must be issued according to the UTC timezone, this is an example command for the webapp: mvn clean spring-boot:run -Dspring-boot.run.jvmArguments="-Duser.timezone=UTC"