Introduction
Single Sign-On (SSO) simplifies the user authentication process by allowing users to log in once and gain access to multiple applications. OpenID Connect is an authentication layer on top of OAuth 2.0 that facilitates SSO. In this article, we'll walk through implementing SSO authentication using OpenID Connect with LotusScript.
Prerequisites
Before diving into the code, ensure you have:
- Basic knowledge of LotusScript and HTTP requests.
- Familiarity with OpenID Connect and OAuth 2.0.
- Access to a Microsoft Azure AD tenant or another OpenID Connect provider.
Step-by-Step Implementation
1. Setting Up Your Environment
Make sure your Lotus Domino server is properly configured to handle HTTP requests and that you have access to your OpenID Connect provider's endpoints.
2. Retrieving the Access Token
The access token is obtained after the user successfully authenticates. I am pretty sure outdays most of developer know how to parse values from DocumentContext (fieldsÆ QUERY_STRING or REQUEST_CONTENT). In example below I just use my own class but really you can do it in a few lines if needed
access_token = web.GetRequestParam("access_token")
token_type = web.GetRequestParam("token_type")
3. Making API Requests
Use NotesHTTPRequest to communicate with the OpenID Connect provider’s API. Set the Authorization header with the access token:
Dim session as NotesSession
Dim http As NotesHTTPRequest
Dim jsonNav as NotesJSONNavigator
Set session = new NotesSession
Set http = session.Createhttprequest()
http.Preferjsonnavigator = True
Call http.Setheaderfield("Authorization", token_type & " " & access_token)
Set jsonNav = http.Get("https://graph.microsoft.com/v1.0/me")
4. Parsing the Response
Handle and parse the JSON response to extract user information:
On Error 4843 Resume Next
Dim jsonEl As NotesJSONElement
Dim jsonObj As NotesJSONObject
Set jsonEl = jsonNav.getelementbyname("error")
If Not jsonEl Is Nothing Then
Set jsonObj = jsonEl.Value
Print |Status: 401|
Print "<h2>Error</h2>"
Print "<p>" & jsonObj.Getelementbyname("code").Value & "</p>"
Print "<p>" & jsonObj.Getelementbyname("message").Value & "</p>"
Call scriptLog.LogInfo(jsonNav.Stringify())
Exit Function
End If
mail = jsonNav.Getelementbyname("mail").Value
displayName = jsonNav.Getelementbyname("displayName").Value
Knowing user's email or other unique data will help you to find a user in your application and make necessary steps for auth.
Conclusion
In my case, I have a web application written in Domino where users can register and sign in without using names.nsf.
This approach allows for seamless authentication using OpenID, bypassing the traditional Domino authentication model.
While this solution does not allow users to authenticate directly with Domino, it is still a significant step in that direction. By integrating OpenID Connect, we are moving closer to a more flexible authentication model that can eventually be expanded to support Domino authentication.
No comments :
Post a Comment