This is an authenticator implementation for Apache Tomcat 9.0 and 8.5 that allows web-applications to use OpenID Connect to log users in.
References to Tomcat documenation in this manual link to Tomcat version 9.0. Corresponding pages for Tomcat 8.5 can be easily found on the Apache Tomcat website.
A complete sample web-application is available at https://github.com/boylesoftware/tomcat-oidcauth-sample.
Tomcat includes a number of built-in authenticators for the standard authentication mechanisms defined in section 13.6 of the Java Servlet 4.0 specification, such as HTTP Basic, HTTP Digest, and Form Based. These standard authenticators are implemented as Valves and are deployed in the web-application's context automatically depending on the application deployment descriptor's login-config element (section 14.4.19 of the Servlet specification). The OpenID Connect Authenticator extends the standard form-based authenticator and adds ability to use an OpenID Provider (OP) to log users in instead of or in addition to the login form hosted by the web-application itself. The OPs that implement the standard and can be used with the authenticator include Auth0, Google Identity Platform (including G Suite), Amazon Cognito, Microsoft Azure AD, Yahoo!, empowerID and others.
Web-applications are still developed for form-based authentication so that the auth-method element in the deployment descriptor's login-config is FORM and the form-login-config element defines the login and error pages included with the web-application. The same web-application binary can be deployed with or without the OpenID Connect Authenticator. The login page included with the web-application, while remaining compatible with standard form-based authentication, is the only place that is aware that it can be deployed with the OpenID Connect Authenticator and contains logic that either redirects to the login page hosted by the OP, offers the user links or buttons to go to one of the configured OP login pages or use a login form and standard form-based authentication, or some combination of the above. The authenticator valve and its configuration are specified in the web-application's context, so the same application binary can be deployed with different authenticators and authenticator configurations in different runtime environments. The fact that the application is developed as if for the standard form-based authentication makes this authenticator implementation suitable for adding OpenID Connect authentication capability to legacy web-applications.
This authenticator is intended for traditional Java Servlet web-applications with server-side page rendering and use of HTTP sessions. It is not intended for RESTful applications. The same way as the standard authenticator implementations included with Tomcat, this authenticator utilizes server-side HTTP sessions defined in the Servlet specification to maintain the authenticated user information.
The authenticator implements OpenID Connect's Authorization Code Flow. Once Tomcat sees an unauthenticated request to a protected web-application resource, it saves the request details in the HTTP session and forwards the request to the login page configured in the application deployment descriptor's form-login-config element. Normally, the login page is a JSP that displays a login form and submits the login information (the username and password) to the special /j_security_check URI (see section 13.6.3.1 of the Java Servlet 4.0 specification). As an extension to the standard form-based process, the OpenID Connect Authenticator provides the login page with special request attributes that include URLs of the login pages for every OP configured in the application context. The login page may include logic that decides how to present the login options to the user. For example, if the application allows only a single OP for the authentication and the local form-based login is disabled, the login page may immediately redirect the user's browser to the OP's login page. If more than one OP is configured to be used by the application to log users in, the login page may display all the login options: links to the configured OPs as well as the local login form (or none). If the login page detects that it is not deployed with the OpenID Connect Authenticator (the special request attributes provided by the authenticator are missing), it can simply display the login form as would any other application designed for the form-based authentication.
If the login page submits standard login form username and password (as j_username and j_password form fields) to the /j_security_check endpoint, the authenticator proceeds with the standard form-based authentication logic. However, if OpenID Connect flow is utilized, the user ends up on the login page provided by and hosted at the OP. After the authentication is completed at the OP, it redirects the user's browser back to the web-application, namely to its /j_security_check endpoint with the authorization code (as code URL query string parameter). The authenticator detects that the given /j_security_check call is indeed a redirect from the OP by the presence of the code parameter. If so, the authorization code is used to call the OP's Token Endpoint and exchange it for the ID Token, which is a cryptographically signed object containing the authenticated user information. If the authentication at the OP was not successful, the authenticator displays the login error page configured in the deployment descriptor's form-login-config element. As an extension to the standard form-based authentication, the error page may receive special request attributes with the error description.
Once the authenticator exchanges the authoization code for the ID Token, it extracts a field from the token (a claim) used as the username with the Tomcat's Realm and looks up the user. If the user is found in the realm, the user becomes the authenticated user and the HTTP session becomes authenticated. Note, that as opposed to RESTful applications, once the user is authenticated, the authenticator will not make any more calls to the OP for the duration of the HTTP session.
The binary release of the authenticator can be downloaded from Boyle Software, Inc.'s Maven repository at:
https://boylesoftware.com/maven/repo-os/org/bsworks/catalina/authenticator/oidc/tomcat-oidcauth/
The JAR need to be added to the Tomcat's classpath, for example, by placing it in $CATALINA_BASE/lib directory (see Tomcat's Class Loader How-To for more info).
There are separate binaries of the authenticator for Tomcat version 8.5 and 9.0. Make sure that you use one that's built for your version of Tomcat.
The authenticator is added to Tomcat configuration as a Valve. Normally, it goes into the web-application's Context. For example, for Tomcat 9.0:
<Valve className="org.bsworks.catalina.authenticator.oidc.tomcat90.OpenIDConnectAuthenticator"
providers="..." />
For Tomcat 8.5 it will look like the following:
<Valve className="org.bsworks.catalina.authenticator.oidc.tomcat85.OpenIDConnectAuthenticator"
providers="..." />
The authenticator is configured using the following attributes on the valve:
providers (required) - JSON-like array of objects, each describing and configuring an OpenID Provider (OP) available to the application. The syntax differs from the standard JSON in that it does not use double quotes around the property names and values (to make it XML attribute value friendly). A property value must be surrounded with single quotes if it contains commas, curly braces or whitespace. Each object describing an OP includes the following properties:
issuer (required) - The OP's unique Issuer Identifier corresponding to the iss claim in the ID Token. The issuer identifier is a URL that is used for identifying the OP to the application, validating the ID Token iss claim and, unless documentConfigurationUrl property described below is included, to load the OP configuration document according to the OpenID Connect Discovery's Obtaining OpenID Provider Configuration Information process (by adding .well-known/openid-configuration to the issuer identifier to form the OP configuration document URL).
validIssPattern (optional) - A regex pattern to use to validate the "iss" claim in the ID Token. If unspecified, a valid "iss" ID Token claim must be exactly equal to the issuer value, which is the standard OpenID Connect specification behavior. The standard behavior can be overridden for non-standard IdP implementations using this configuration attribute. If specified, the regex is matched against the entire "iss" value (see java.util.regex.Matcher.matches() method).
name (optional) - Application specific OP name made available to the login page. If not specified, defaults to the issuer value.
clientId (required) - The client ID associated with the web-application at the OP.
clientSecret (optional) - The client secret. Note, that most of the OPs require a client secret to make calls to the OP endpoints. However, some OPs may support public clients so no client secret is utilized.
extraAuthEndpointParams (optional) - Extra parameters added to the query string of the OP's Authorization Endpoint URL. The value is an object with keys being the parameter names and value being the parameter values.
tokenEndpointAuthMethod (optional) - Explicitly specified authentication method for the OP's Token Endpoint. Normally the authenticator will use "client_secret_basic" if the OP configuration includes a client secret and "none" if it doesn't. This property, however, allows overriding that logic and forcing a specific authentication method. For the description of the authentication methods see Client Authentication. Note, that currently "client_secret_jwt" and "private_key_jwt" methods are not supported.
configUrl (optional) - URL for the OP configuration document. If not specified, the URL is automatically constructed from the issuer ID using the process defined in OpenID Connect Discovery. However, some non-standard OPs may have their configuration document at a different location. This property allows configuring such non-standard OPs. The deprecated (and still supported) name of this property is configurationDocumentUrl.
usernameClaim (optional) - Claim in the ID Token used as the username in the Realm. The default is sub, which is the ID of the user known to the OP. Often, however, claims such as email are more convenient to use as usernames. To use properties in nested objects in the ID Token, the usernameClaim supports the dot notaion.
additionalScopes (optional) - Space-separated list of scopes to add to the openid scope, always included, for the OP's Authorization Endpoint. For example, if email claim is used as the username, the email scope can be added (email claim is normally not included in the ID Token unless explicitly requested as part of the email, profile or similar scope at the Authorization Endpoint).
endpointHttpConnectTimeout (optional) - HTTP connection timeout in milliseconds for the OP endpoints. If unspecified, the httpConnectTimeout valve attribute is used.
endpointHttpReadTimeout (optional) - HTTP read timeout in milliseconds for the OP endpoints. If unspecified, the httpReadTimeout valve attribute is used.
configHttpConnectTimeout (optional) - HTTP timeout in milliseconds for connecting to the OP configuration document URL (see configUrl property). If unspecified, the httpConnectTimeout valve attribute is used.
configHttpReadTimeout (optional) - HTTP timeout in
$ claude mcp add tomcat-oidcauth \
-- python -m otcore.mcp_server <graph>