Search code examples
openid-connectopen-liberty

Why OpenLiberty -OpenID connect server- discovery url response endpoint urls, are not HTTPs?

I have created a OpenLiberty server with openid connect provider configuration. Server.xml extract:

        <httpEndpoint host="example.net"
            httpPort="80" httpsPort="9443" id="defaultHttpEndpoint" />

        <oauth-roles>
            <authenticated>
                    <special-subject type="ALL_AUTHENTICATED_USERS" />
            </authenticated>
        </oauth-roles>

        <openidConnectProvider id="OP"
            oauthProviderRef="Oauth" signatureAlgorithm="RS256"
            keyStoreRef="defaultKeyStore" keyAliasName="default"
            issuerIdentifier="https://example.net/oidc/endpoint/OP">
            <scopeToClaimMap mail="mail"
                    profile="name, given_name, carLicense, preferredLanguage" />
            <claimToUserRegistryMap given_name="givenName"
                    name="sn" mail="mail" preferredLanguage="preferredLanguage"
                    carLicense="carLicense" />
        </openidConnectProvider>

        <oauthProvider accessTokenLifetime="300s" id="Oauth"
            httpsRequired="false"
            customLoginURL="https://example.net/oidc/login.jsp">
            <localStore>
            </localStore>
        </oauthProvider>

After server start when I try to access discoveryendpoint-url: https://example.net/oidc/endpoint/OP/.well-known/openid-configuration

Response:

  {"introspection_endpoint":"http://example.net/oidc/endpoint/OP/introspect",
  "coverage_map_endpoint":"http://example.net/oidc/endpoint/OP/coverage_map",
  :
  :
  :
  }

Whereas in localhost : https://localhost:9443/oidc/endpoint/OP/.well-known/openid-configuration I am getting

   {"introspection_endpoint":"https://localhost:9443/oidc/endpoint/OP/introspect",
    "coverage_map_endpoint":"https://localhost:9443/oidc/endpoint/OP/coverage_map",
    :
    :
   }

anyone has any idea about why I am not getting https based endpoint urls from example.net?

Solution

  • You're not listening on port 443, so this url might be in error: https://example.net/oidc/endpoint/OP/.well-known/openid-configuration since it would require listening on 443. Or maybe you are passing through some sort of proxy that forwards to Liberty on http.

    When accesssed over http like this, http://example.net/oidc/endpoint/OP/.well-known/openid-configuration

    that will return http endpoints since your configuration has httpsRequired=false. You can set that to true to disallow http communication.