OIDC Configuration for Securing HATS Web Application

OpenID Connect (OIDC) is an authentication protocol built on top of OAuth 2.0, providing a standardized and secure method for verifying user identities in web applications. Web applications like HATS can be registered with the OIDC provider by sharing information such as the application URL, redirect URL, etc. When a user opens the HATS URL, they are presented with the OIDC provider's login page, where they must provide credentials as configured (e.g., LDAP, Gmail). After a successful login, the OIDC provider shares details like user claims, tokens, etc.

The OIDC Configuration panel shown below allows users to enable and set up OIDC for secure authentication for the HATS application (WEB ONLY). After selecting "Enable OIDC," the user must enter the required parameters: Client ID, Client Secret, Issuer URL, Redirect URL, and Scope.

These values are essential and must precisely match the configuration details provided by the Identity Provider (IdP) to ensure successful authentication flows and proper callback processing within the HATS application. Consult with your IdP team to correctly obtain these values.

To enable OpenID Connect (OIDC), navigate to the HATS project settings. In the "Other" tab, locate and click "OIDC Configuration," and then enable the OIDC feature.

Client ID

A unique identifier assigned to the HATS application by the Identity Provider (IdP). The IdP uses it to recognize the application during the authentication process.

Client Secret

A confidential value generated by the Identity Provider and shared only with the application. It is used together with the Client ID to authenticate the HATS application when exchanging authorization codes for tokens.

Issuer URL

The base URL of the Identity Provider that issues OIDC tokens. The HATS application uses this URL to validate tokens and to discover the IdP’s authorization, token, and public key (JWKS) endpoints. E.g. https://<identity.yourcompany.com/oauth2/default>

Redirect URL
The callback URL to which the Identity Provider redirects the user after successful authentication. This URL must exactly match the redirect URI registered with the IdP to ensure a valid and secure authentication flow. E.g. https://<myhatsapp.com>/callback
Note:
The/callback path is a dedicated handler provided by the HATS application to process the authentication response.
Scope

A space-separated list of permissions or claims requested from the Identity Provider. Common scopes include openid, profile, and email, which determine the user information included in the ID token.

Note:
HATS provides a filter OIDCAuthFilter and a callback servlet OIDCCallback to perform the OIDC-based authentication. OIDCAUTHFilter is responsible for initiating the OIDC authentication flow. OIDCCallback processes the response after the successful authentication and authorization process has been completed. These filter and callback entries are available in the web.xml. In case you wish to override these configurations with your own implementation:
  1. Disable the ‘Enable OIDC’ checkbox.
  2. Verify the filter OIDCAuthFilter and servlet OIDCCallback are disabled in web.xml.
Note:
To deploy and run an OIDC-enabled HATS application on the Websphere application server(WAS), create a HATS project by selecting Web server target as WAS and export the HATS project as an EAR file and install it using the WAS Administrative Console.

After installing the application on WAS, make the following changes in the HATS application configuration:

Application-level class loader settings:

  1. Log in to the WebSphere Integrated Solutions Console (ISC)

  2. Navigate to Applications → Application Types → WebSphere enterprise applications.

  3. Select your application ( the HATS EAR).
  4. Click Class loading and update detection
  5. Set the following options

    Class loader order: Classes loaded with local class loader first (Parent Last)

    Class loader mode: Single class loader for application



  6. Save the configuration and restart the EAR.