Authorization and OpenID SSO

Authorize whether an user already authenticated by OpenID SSO can access a Genero application.

The GAS must be configured for OpenID Single sign-on (SSO). See Configure GAS for OpenID SSO.

With the Genero OpenID implementation, you can add an external program to determine whether an already authenticated user can access a Genero Web application.

This external program can be written in Genero or in another programming language.

The authorization program expects two mandatory arguments and the list of OpenID attributes received from the OpenID provider:

access-program openid-userid app-xcf-path [ attribute value [...] ]

The first argument is the OpenID identifier.
The second argument is the application path.
Next arguments are optional and define OpenID attributes/value pairs.

Example with a Genero authorization program:

fglrun AccessProgram
       "genero-user.pip.verisignlabs.com" \
       "qa-test/application" \
       "fullname" "genero test" \
       "email" "genero@4js.com" \
       "country" "France"

The application AccessProgram.4gl in $FGLDIR/web_utilities/services/openid provides an example of an authorization application written in Genero.

The external program is specified in the application configuration element by adding a AUTHORIZATION element in the DELEGATE element.

If the AUTHORIZATION element is not defined, any user authenticated by an OpenID provider can access the Genero Web application. It is recommended that you add an authorization program to filter the access to your applications.

Note: The external program must be deployed beside the OpenIDServer.42r program, because it will be executed by that service program. This is by default under $FGLDIR/web_utilities/services/openid/bin.

Add an AUTHORIZATION element as a child of the OpenID DELEGATE element in the application configuration (xcf) file.

Within the AUTHORIZATION element, specify the command to execute the external authorization program.

<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/2.50/cfextwa.xsd">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
    <DELEGATE service="services/OpenIDServiceProvider">
      <ATTRIBUTES>email,fullname,country</ATTRIBUTES>
      <AUTHORIZATION>fglrun AccessProgram</AUTHORIZATION>
    </DELEGATE>
  </EXECUTION>
</APPLICATION>

The authorization program will be called before access to the Web application is granted. If the authorization program exits with an error code of zero (0), then access is granted for the user. Any exit code other than zero indicates access for the user is denied. In the last case, the end user will be warned with a error page in the web browser, generated by the OpenID service.