Authorize an authenticated OpenID Connect user

Authorize whether a user already authenticated by OpenID Connect SSO can access a Genero application.

The Genero Application Server must be configured for OpenID Connect Single sign-on (SSO). See Configure GAS for OpenID Connect SSO.

You may need to restricted access to certain applications or to certain specific email addresses; otherwise any user authenticated by an OpenID Connect provider can access your Genero Web application. It is therefore recommended that you add an authorization program to filter access to your applications.

This external program can be written in Genero or in another programming language. The application AccessProgram.4gl in $FGLDIR/web_utilities/services/openid-connect provides an example of an authorization application written in Genero.

Note: The external program must be deployed beside the OpenIDConnectServer.42r program, because it will be executed by that service program. This is by default under $FGLDIR/web_utilities/services/openid-connect/bin.

The authorization program expects two mandatory arguments and the list of OpenID Connect attributes received from the OpenID Connect provider:

access-program oidc-userid app-xcf-path [ attribute value [...] ]

oidc-userid: the first argument is the OpenID Connect identifier (typically an opaque value returned by the IdP)
app-xcf-path: the second argument is the application path.
The next arguments are optional and define OpenID attributes/value pairs.

Example with a Genero authorization program:

fglrun AccessProgram
       "101516043183449889392" \ 
       "qa-test/application" \
       "fullname" "genero test" \
       "email" "genero@4js.com" \
       "country" "France"

The external authorization program is specified in the application configuration element by adding an AUTHORIZATION element in the DELEGATE element.

Add an AUTHORIZATION element as a child of the DELEGATE element in the application configuration (xcf) file.

Within the AUTHORIZATION element, specify the command to execute the external authorization program.

<?xml version="1.0"?>
<APPLICATION Parent="defaultgwc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:noNamespaceSchemaLocation="http://www.4js.com/ns/gas/3.21/cfextwa.xsd">
  <EXECUTION>
    <PATH>$(res.path.qa)/applications/myapp</PATH>
    <MODULE>App.42r</MODULE>
    <DELEGATE service="services/OpenIDConnectServiceProvider">
        <IDP>https://accounts.google.com</IDP>        
        <SCOPE>email</SCOPE>        
        <CLIENT_PUBLIC_ID>XXXXXXXX.apps.googleusercontent.com</CLIENT_PUBLIC_ID>
        <CLIENT_SECRET_ID>XXXXXX-XXXXXX</CLIENT_SECRET_ID>     
        <AUTHORIZATION>fglrun AccessProgram</AUTHORIZATION>
    </DELEGATE>
  </EXECUTION>
</APPLICATION>

The authorization program will be called before access to the Web application is granted. If the authorization program exits with an error code of zero (0), then access is granted for the user. Any exit code other than zero indicates access for the user is denied. In the latter case, the end user will be warned with an error page in the web browser, generated by the OpenID Connect service.