How to connect a custom OpenID provider to Workflow Server

Important

To work on localhost, use the Mozilla Firefox browser. This is due to the cookie policy for localhost.

Overview

Workflow Server supports external authentication through OpenID together with the built-in Identity Server provider. OpenID enables secure authentication by using an existing account to sign in to multiple applications without needing to create new passwords. When implementing OpenID, the user credentials are only given to the identity provider, and that provider then confirms the identity data to the applications that are visited.

The OpenID Connect (OIDC) authentication protocol which extends OAuth 2.0 to add an identity layer, allows clients to confirm an end user’s identity using authentication by an authorization server. It enables several clients, including web-based, mobile, and JavaScript clients, to request and receive information related to authenticated sessions and end-users. The specification is extensible, so it is possible to use optional features such as encryption of identity data, discovery of OpenID Providers, session management and so on.

Once the request is processed, the client will receive an access token and an ID token issued by the authorization server that contains claims that carry information about the user. Then, the client can contact a special endpoint on the authorization server known as the UserInfo endpoint to receive the remaining claims about the user.

In this article, the free IdentityServer4 with an administrative panel will be used as an OpenID server. This OpenID server we will call "Kratos" and it will be available at http://localhost:5000.

Identity Server settings

Identity Server is an open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core which incorporates all the protocol implementations that are required to integrate token-based authentication, Single-Sign-On and API access control in applications. Detailed information regarding the project can be read here.

There are some options that should be defined for setting Workflow Server as client application. This can be set in the AdminUI management tool that Identity Server provides. In this section are described the steps that should be followed.

1. First, check that the latest .NET Core 3.1 SDK is installed. Otherwise, it can be downloaded here.
2. The IdentityServer4 template packages should be installed by using dotnet command.
3. Install the packages by writing in the command prompt:

   dotnet new --install IdentityServer4.Templates
4. Afterward, install the AdminUI:

   dotnet new is4admin
5. Next, execute the command:

   dotnet run
6. Then, the web-based administration interface for users, claims, clients and resources will be available. In the browser open: http://localhost:5000/admin.
7. After clicking on 'Start' button, proceed to add a user in the tab 'Users'. Fill out the fields: First name, Last name, username, email and password and save the data.
8. In addition, the AdminUI Administrator role should be assigned in the tab 'Roles'.
9. Workflow Server must be set as client application so a new client should be added in the tab 'Client'. Complete the needed fields: client ID, display name, display URL and description. Then, click 'Next' and enter the Callback URL as follows: http://localhost:8077/signin-oidc-kratos.
10. Subsequently, add the logout URL: http://localhost:8077/login. All the required application URLs must be set properly.
11. Select the identity resources that Workflow Server client will be granted access: profile and openid. Next, the protected resources will appear: admin_api, admin_ui_public, admin_ui_webhooks. Finally, save the data.
12. Check the 'Application URLs' tab in Workflow Server client. Verify that the required application URLs were set accordingly. In addition, the option: 'Always Include User Claims In Id Token' must be set through 'Advanced' tab -> 'Tokens'.

OpenID configuration in Workflow Server

The main steps that should be considered to set this service in Workflow Server are described as follows:

1. First, clone the Workflow Server GitHub repository in this link.
2. Create a database. Detailed instructions regarding this topic can be read here.
3. Initialize the database with the scripts that are located in the directory InitialScripts.
4. The custom provider must be added, so it is required to modify the file Program.cs in the Workflow Server project. A sample code for adding a custom OpenID provider is included below:

workflowServer.RegisterOpenIdConnectProviders(authBuilder =>
{
    authBuilder.AddOpenIdConnect("Kratos", "Kratos", options =>
    {
        options.SignInScheme = IdentityServer4.IdentityServerConstants.ExternalCookieAuthenticationScheme;
        options.ClientId = "wfs";
        options.ClientSecret = "none";
        options.Authority = "http://localhost:5000";
        // this is for HTTP only, remove next line for HTTPS 
        options.RequireHttpsMetadata = false;
        options.CallbackPath = "/signin-oidc-kratos";
        options.ResponseType = "code";
        options.SaveTokens = true;
        options.Scope.Add("openid");
        options.Scope.Add("profile");
        options.TokenValidationParameters.ValidateIssuer = false;
        options.TokenValidationParameters.NameClaimType = "name";
    });
});

5. Then, the project can be launched by running WorkflowServer.sln.
6. Restrict the access in Workflow Server Admin panel to use OpenID Connect. Go to the section: 'Settings', on the Tab: 'Security', in 'Access' choose: 'Type' -> 'OpenId Connect', and set Administrator login and Administrator Password. Click 'Save' button.
7. In a browser window open http://localhost:8077.
8. Check the authentication button Kratos that has been added in the form.
9. Next, the site will be redirected to IdentityServer4 login page according the created user credentials and the role that have been defined through the AdminUI, the user and configuration management tool for IdentifyServer.
10. Once authentication is fulfilled, access to Workflow Server will be granted considering the credentials that were given in IdentifyServer4 and the user external information account will be available in the section: 'Users' by clicking on the user register.

tip

Keep in mind that an access profile can be assigned in Workflow Server in the section 'Users'. Besides, an internal login information might be added for a user.