From e9d6392b0eb754915e71d08d8838308c839b3e1d Mon Sep 17 00:00:00 2001 From: dmuelle Date: Wed, 7 Feb 2024 17:59:02 +0000 Subject: [PATCH 01/10] 24.0.0.2-beta --- posts/2024-02-13-24.0.0.2-beta.adoc | 248 ++++++++++++++++++++++++++++ 1 file changed, 248 insertions(+) create mode 100644 posts/2024-02-13-24.0.0.2-beta.adoc diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc new file mode 100644 index 000000000..2e1021357 --- /dev/null +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -0,0 +1,248 @@ +--- +layout: post +title: "TITLE" +# Do NOT change the categories section +categories: blog +author_picture: https://avatars3.githubusercontent.com/dmuelle +author_github: https://github.com/dmuelle +seo-title: TITLE - makes sure it ends with - OpenLiberty.io +seo-description: DESCRIPTION +blog_description: DESCRIPTION +open-graph-image: https://openliberty.io/img/twitter_card.jpg +open-graph-image-alt: Open Liberty Logo +--- += TITLE +David Mueller +:imagesdir: / +:url-prefix: +:url-about: / +//Blank line here is necessary before starting the body of the post. + +// // // // // // // // +// In the preceding section: +// Do not insert any blank lines between any of the lines. +// Do not remove or edit the variables on the lines beneath the author name. +// +// "open-graph-image" is set to OL logo. Whenever possible update this to a more appropriate/specific image (For example if present an image that is being used in the post). However, it +// can be left empty which will set it to the default +// +// "open-graph-image-alt" is a description of what is in the image (not a caption). When changing "open-graph-image" to +// a custom picture, you must provide a custom string for "open-graph-image-alt". +// +// Replace TITLE with the blog post title eg: MicroProfile 3.3 is now available on Open Liberty 20.0.0.4 +// Replace dmuelle with your GitHub username eg: lauracowen +// Replace DESCRIPTION with a short summary (~60 words) of the release (a more succinct version of the first paragraph of the post). +// Replace David Mueller with your name as you'd like it to be displayed, +// eg: LauraCowen +// +// For every link starting with "https://openliberty.io" in the post make sure to use +// {url-prefix}. e.g- link:{url-prefix}/guides/GUIDENAME[GUIDENAME]: +// +// If adding image into the post add : +// ------------------------- +// [.img_border_light] +// image::img/blog/FILE_NAME[IMAGE CAPTION ,width=70%,align="center"] +// ------------------------- +// "[.img_border_light]" = This adds a faint grey border around the image to make its edges sharper. Use it around screenshots but not +// around diagrams. Then double check how it looks. +// There is also a "[.img_border_dark]" class which tends to work best with screenshots that are taken on dark backgrounds. +// Change "FILE_NAME" to the name of the image file. Also make sure to put the image into the right folder which is: img/blog +// change the "IMAGE CAPTION" to a couple words of what the image is +// // // // // // // // + +BETA_RELEASE_SUMMARY + +// // // // // // // // +// Change the RELEASE_SUMMARY to an introductory paragraph. This sentence is really +// important because it is supposed to grab the readers attention. Make sure to keep the blank lines +// +// Throughout the doc, replace 24.0.0.2-beta with the version number of Open Liberty, eg: 22.0.0.2-beta +// // // // // // // // + +The link:{url-about}[Open Liberty] 24.0.0.2-beta includes the following beta features (along with link:{url-prefix}/docs/latest/reference/feature/feature-overview.html[all GA features]): + +* <> + +// // // // // // // // +// In the preceding section: +// Change SUB_FEATURE_TITLE to the feature that is included in this release and +// change the SUB_TAG_1/2/3 to the heading tags +// +// However if there's only 1 new feature, delete the previous section and change it to the following sentence: +// "The link:{url-about}[Open Liberty] 24.0.0.2-beta includes SUB_FEATURE_TITLE" +// // // // // // // // + +See also link:{url-prefix}/blog/?search=beta&key=tag[previous Open Liberty beta blog posts]. + +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/27362 +// Contact/Reviewer: jimmy1wu +// // // // // // // // +[#SUB_TAG_0] +== Back-channel logout support for OpenID Connect clients and servers + +1. Which Liberty feature(s) does your update relate to? + + Human-readable name (eg WebSockets feature): OpenID Connect Client 1.0, Social Media Login 1.0, OpenID Connect Server 1.0 + + Short feature name (eg websockets-1.0): openidConnectClient-1.0, socialLogin-1.0, openidConnectServer-1.0 + + + + + +2. Who is the target persona? Who do you expect to use the update? eg application developer, operations. + Server admins + + + + +3. Provide a summary of the update, including the following points: + + - A sentence or two that introduces the update to someone new to the general technology/concept. + + - What was the problem before and how does your update make their life better? (Why should they care?) + + - Briefly explain how to make your update work. Include screenshots, diagrams, and/or code snippets, and provide a `server.xml` snippet. + + - Where can they find out more about this specific update (eg Open Liberty docs, Javadoc) and/or the wider technology? + +OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so a local logout can also be performed for that user in each OpenID Connect client. Previously, OpenID Connect servers were only able to notify OpenID Connect clients that a user logged out by using iframes embedded in the OpenID Connect client's web page. This meant that a web page must be active for this communication to occur or else the OpenID Connect client would not be notified of the logout that occurred at the OpenID Connect server. Back-channel logout solves this problem through direct communication between the OpenID Connect server and clients. + +With this release, back-channel logout is enabled by default when the OpenID Connect Client and Social Media Login features are used. The back-channel logout endpoints can be found at `/oidcclient/backchannel_logout/{clientId}` and `/ibm/api/social-login/backchannel_logout/{clientId}` for those features respectively. + +To enable back-channel logout for OpenID Connect servers, the OpenID Connect client's back-channel logout URI must be specified when dynamically registering the OAuth client by using the `backchannel_logout_uri` metadata value, or by using the `backchannelLogoutUri` attribute for OAuth clients defined in a `localStore`. Additionally, the OpenID Connect server will wait a default of 180 seconds before the back-channel logout request times out, but this duration can also be specified using the `backchannelLogoutRequestTimeout` attribute. An example `server.xml` is shown here demonstrating how to specify the back-channel logout URI that an OpenID Connect server should use to make back-channel logout requests with a timeout of 60 seconds. + +``` + + openidConnectServer-1.0 + + +... + + + + + + + + +``` + +Now, when the OpenID Connect server's logout or end_session endpoint is invoked, the OpenID Connect server will also send back-channel logout requests to log the user out at the OpenID Connect clients as well. The OpenID Connect server's logout endpoint can be found at `/oidc/endpoint/{oidcProviderId}/logout` and the end_session endpoint can be found at `/oidc/endpoint/{oidcProviderId}/end_session`. Optionally, an `id_token_hint` containing an ID Token issued by that OpenID Connect server can be added to the endpoint request as a query parameter to help determine the user to log out. This is useful in scenarios where the logout or end_session request is made without the user's OpenID Connect server SSO cookie. Additionally, if the OpenID Connect server is configured with a SAML Identity Provider, a logout at the SAML Identity Provider will also trigger the OpenID Connect server to send back-channel logout requests to the OpenID Connect clients. + +For more information about the Open Liberty configuration options, see: +- link:https://openliberty.io/docs/latest/reference/config/openidConnectClient.html[openidConnectClient] +- link:https://openliberty.io/docs/latest/reference/config/oidcLogin.html[oidcLogin] +- link:https://openliberty.io/docs/latest/reference/config/openidConnectProvider.html#oauthProvider[openidConnectProvider] + +For more information about the back-channel logout specification, see link:https://openid.net/specs/openid-connect-backchannel-1_0.html[OpenID Connect Back-Channel Logout 1.0]. + + +// DO NOT MODIFY THIS LINE. + + + +To enable the new beta features in your app, add them to your `server.xml`: + +[source, xml] +---- + +---- + +[#run] +=== Try it now + +To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE XX, Java SE 17, Java SE 11, and Java SE 8. +// // // // // // // // +// In the preceding section: +// Check if a new non-LTS Java SE version is supported that needs to be added to the list (17, 11, and 8 are LTS and will remain for a while) +// https://openliberty.io/docs/latest/java-se.html +// // // // // // // // + +If you're using link:{url-prefix}/guides/maven-intro.html[Maven], you can install the All Beta Features package using: + +[source,xml] +---- + + io.openliberty.tools + liberty-maven-plugin + 3.8.2 + + + io.openliberty.beta + openliberty-runtime + 24.0.0.2-beta + zip + + + +---- + +You must also add dependencies to your pom.xml file for the beta version of the APIs that are associated with the beta features that you want to try. For example, for Jakarta EE 10 and MicroProfile 6, you would include: +[source,xml] +---- + + org.eclipse.microprofile + microprofile + 6.0-RC3 + pom + provided + + + jakarta.platform + jakarta.jakartaee-api + 10.0.0 + provided + +---- + +Or for link:{url-prefix}/guides/gradle-intro.html[Gradle]: + +[source,gradle] +---- +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath 'io.openliberty.tools:liberty-gradle-plugin:3.6.2' + } +} +apply plugin: 'liberty' +dependencies { + libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[24.0.0.2-beta,)' +} +---- +// // // // // // // // +// In the preceding section: +// Replace the Maven `3.8.2` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin +// Replace the Gradle `3.6.2` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin +// TODO: Update GHA to automatically do the above. If the maven.org is problematic, then could fallback to using the GH Releases for the plugins +// // // // // // // // + +Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]: + +[source] +---- +FROM icr.io/appcafe/open-liberty:beta +---- + +Or take a look at our link:{url-prefix}/downloads/#runtime_betas[Downloads page]. + +If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE. + +For more information on using a beta release, refer to the link:{url-prefix}docs/latest/installing-open-liberty-betas.html[Installing Open Liberty beta releases] documentation. + +[#feedback] +== We welcome your feedback + +Let us know what you think on link:https://groups.io/g/openliberty[our mailing list]. If you hit a problem, link:https://stackoverflow.com/questions/tagged/open-liberty[post a question on StackOverflow]. If you hit a bug, link:https://github.com/OpenLiberty/open-liberty/issues[please raise an issue]. + + From 4ba5e4522a2907485365f744c2ff369a56cdfd56 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Wed, 7 Feb 2024 15:07:10 -0500 Subject: [PATCH 02/10] edits --- posts/2024-02-13-24.0.0.2-beta.adoc | 220 +++++++++------------------- 1 file changed, 73 insertions(+), 147 deletions(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index 2e1021357..957acf747 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -1,179 +1,110 @@ --- layout: post -title: "TITLE" +title: "Back-channel logout support for OpenID Connect clients and servers in 24.0.0.2-beta" # Do NOT change the categories section categories: blog author_picture: https://avatars3.githubusercontent.com/dmuelle author_github: https://github.com/dmuelle -seo-title: TITLE - makes sure it ends with - OpenLiberty.io -seo-description: DESCRIPTION -blog_description: DESCRIPTION +seo-title: Back-channel logout support for OpenID Connect clients and servers in 24.0.0.2-beta - OpenLiberty.io +seo-description: OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally +blog_description: OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally open-graph-image: https://openliberty.io/img/twitter_card.jpg open-graph-image-alt: Open Liberty Logo --- -= TITLE += Back-channel logout support for OpenID Connect clients and servers in 24.0.0.2-beta David Mueller :imagesdir: / :url-prefix: :url-about: / -//Blank line here is necessary before starting the body of the post. +//Blank line here is necessary before starting the body of the post -// // // // // // // // -// In the preceding section: -// Do not insert any blank lines between any of the lines. -// Do not remove or edit the variables on the lines beneath the author name. -// -// "open-graph-image" is set to OL logo. Whenever possible update this to a more appropriate/specific image (For example if present an image that is being used in the post). However, it -// can be left empty which will set it to the default -// -// "open-graph-image-alt" is a description of what is in the image (not a caption). When changing "open-graph-image" to -// a custom picture, you must provide a custom string for "open-graph-image-alt". -// -// Replace TITLE with the blog post title eg: MicroProfile 3.3 is now available on Open Liberty 20.0.0.4 -// Replace dmuelle with your GitHub username eg: lauracowen -// Replace DESCRIPTION with a short summary (~60 words) of the release (a more succinct version of the first paragraph of the post). -// Replace David Mueller with your name as you'd like it to be displayed, -// eg: LauraCowen -// -// For every link starting with "https://openliberty.io" in the post make sure to use -// {url-prefix}. e.g- link:{url-prefix}/guides/GUIDENAME[GUIDENAME]: -// -// If adding image into the post add : -// ------------------------- -// [.img_border_light] -// image::img/blog/FILE_NAME[IMAGE CAPTION ,width=70%,align="center"] -// ------------------------- -// "[.img_border_light]" = This adds a faint grey border around the image to make its edges sharper. Use it around screenshots but not -// around diagrams. Then double check how it looks. -// There is also a "[.img_border_dark]" class which tends to work best with screenshots that are taken on dark backgrounds. -// Change "FILE_NAME" to the name of the image file. Also make sure to put the image into the right folder which is: img/blog -// change the "IMAGE CAPTION" to a couple words of what the image is -// // // // // // // // +OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally. -BETA_RELEASE_SUMMARY +See also link:{url-prefix}/blog/?search=beta&key=tag[previous Open Liberty beta blog posts]. -// // // // // // // // -// Change the RELEASE_SUMMARY to an introductory paragraph. This sentence is really -// important because it is supposed to grab the readers attention. Make sure to keep the blank lines -// -// Throughout the doc, replace 24.0.0.2-beta with the version number of Open Liberty, eg: 22.0.0.2-beta +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/27362 +// Contact/Reviewer: jimmy1wu // // // // // // // // -The link:{url-about}[Open Liberty] 24.0.0.2-beta includes the following beta features (along with link:{url-prefix}/docs/latest/reference/feature/feature-overview.html[all GA features]): +Previously, OpenID Connect servers could notify OpenID Connect clients that a user logged out only by using iframes that were embedded in the OpenID Connect client's web page. If the web page wasn't active, the OpenID Connect client wasn't notified of the logout that occurred on the OpenID Connect server. Back-channel logout solves this problem through direct communication between the OpenID Connect server and clients. -* <> +== Back-channel logout for OpenID Connect clients -// // // // // // // // -// In the preceding section: -// Change SUB_FEATURE_TITLE to the feature that is included in this release and -// change the SUB_TAG_1/2/3 to the heading tags -// -// However if there's only 1 new feature, delete the previous section and change it to the following sentence: -// "The link:{url-about}[Open Liberty] 24.0.0.2-beta includes SUB_FEATURE_TITLE" -// // // // // // // // +With this release, back-channel logout is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. The following back-channel logout endpoints are enabled for those features: -See also link:{url-prefix}/blog/?search=beta&key=tag[previous Open Liberty beta blog posts]. +* OpenID Connect Client: `/oidcclient/backchannel_logout/{clientId}` +* Social Media Login: `/ibm/api/social-login/backchannel_logout/{clientId}` -// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // -// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/27362 -// Contact/Reviewer: jimmy1wu -// // // // // // // // -[#SUB_TAG_0] -== Back-channel logout support for OpenID Connect clients and servers - -1. Which Liberty feature(s) does your update relate to? - - Human-readable name (eg WebSockets feature): OpenID Connect Client 1.0, Social Media Login 1.0, OpenID Connect Server 1.0 - - Short feature name (eg websockets-1.0): openidConnectClient-1.0, socialLogin-1.0, openidConnectServer-1.0 - - - - - -2. Who is the target persona? Who do you expect to use the update? eg application developer, operations. - Server admins - - - - -3. Provide a summary of the update, including the following points: - - - A sentence or two that introduces the update to someone new to the general technology/concept. - - - What was the problem before and how does your update make their life better? (Why should they care?) - - - Briefly explain how to make your update work. Include screenshots, diagrams, and/or code snippets, and provide a `server.xml` snippet. - - - Where can they find out more about this specific update (eg Open Liberty docs, Javadoc) and/or the wider technology? - -OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so a local logout can also be performed for that user in each OpenID Connect client. Previously, OpenID Connect servers were only able to notify OpenID Connect clients that a user logged out by using iframes embedded in the OpenID Connect client's web page. This meant that a web page must be active for this communication to occur or else the OpenID Connect client would not be notified of the logout that occurred at the OpenID Connect server. Back-channel logout solves this problem through direct communication between the OpenID Connect server and clients. - -With this release, back-channel logout is enabled by default when the OpenID Connect Client and Social Media Login features are used. The back-channel logout endpoints can be found at `/oidcclient/backchannel_logout/{clientId}` and `/ibm/api/social-login/backchannel_logout/{clientId}` for those features respectively. - -To enable back-channel logout for OpenID Connect servers, the OpenID Connect client's back-channel logout URI must be specified when dynamically registering the OAuth client by using the `backchannel_logout_uri` metadata value, or by using the `backchannelLogoutUri` attribute for OAuth clients defined in a `localStore`. Additionally, the OpenID Connect server will wait a default of 180 seconds before the back-channel logout request times out, but this duration can also be specified using the `backchannelLogoutRequestTimeout` attribute. An example `server.xml` is shown here demonstrating how to specify the back-channel logout URI that an OpenID Connect server should use to make back-channel logout requests with a timeout of 60 seconds. - -``` - - openidConnectServer-1.0 - - -... - - - - - - - - -``` - -Now, when the OpenID Connect server's logout or end_session endpoint is invoked, the OpenID Connect server will also send back-channel logout requests to log the user out at the OpenID Connect clients as well. The OpenID Connect server's logout endpoint can be found at `/oidc/endpoint/{oidcProviderId}/logout` and the end_session endpoint can be found at `/oidc/endpoint/{oidcProviderId}/end_session`. Optionally, an `id_token_hint` containing an ID Token issued by that OpenID Connect server can be added to the endpoint request as a query parameter to help determine the user to log out. This is useful in scenarios where the logout or end_session request is made without the user's OpenID Connect server SSO cookie. Additionally, if the OpenID Connect server is configured with a SAML Identity Provider, a logout at the SAML Identity Provider will also trigger the OpenID Connect server to send back-channel logout requests to the OpenID Connect clients. - -For more information about the Open Liberty configuration options, see: -- link:https://openliberty.io/docs/latest/reference/config/openidConnectClient.html[openidConnectClient] -- link:https://openliberty.io/docs/latest/reference/config/oidcLogin.html[oidcLogin] -- link:https://openliberty.io/docs/latest/reference/config/openidConnectProvider.html#oauthProvider[openidConnectProvider] - -For more information about the back-channel logout specification, see link:https://openid.net/specs/openid-connect-backchannel-1_0.html[OpenID Connect Back-Channel Logout 1.0]. - - -// DO NOT MODIFY THIS LINE. - - - -To enable the new beta features in your app, add them to your `server.xml`: - -[source, xml] ----- +== Back-channel logout for OpenID Connect servers + +Two options are available to enable back-channel logout for OpenID Connect servers: + +* Use the `backchannel_logout_uri` metadata value to specify the OpenID Connect client's back-channel logout URI when the OAuth client is dynamically registered +* Use the `backchannelLogoutUri` attribute for OAuth clients that are defined in a `localStore` element. + +Also, the OpenID Connect server waits for a default of 180 seconds before the back-channel logout request times out. You can specify a custom duration by using the `backchannelLogoutRequestTimeout` attribute for the `openidConnectProvider` element. + +The following `server.xml` file example demonstrates how to specify the back-channel logout URI that an OpenID Connect server uses to make back-channel logout requests with a timeout of 60 seconds. +[source,xml] +---- + + openidConnectServer-1.0 + + +... + + + + + + + + ---- + +Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients. + +The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`. + +Optionally, you can add an `id_token_hint` that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP), a logout at the IdP also triggers sends back-channel logout requests to the OpenID Connect clients. + +For more information about the Open Liberty configuration options, see the following resources: +- link:{url-prefix}/docs/latest/reference/config/openidConnectClient.html[openidConnectClient] +- link:{url-prefix}/docs/latest/reference/config/oidcLogin.html[oidcLogin] +- link:{url-prefix}/docs/latest/reference/config/openidConnectProvider.html#oauthProvider[openidConnectProvider] + +For more information about the back-channel logout specification, see link:https://openid.net/specs/openid-connect-backchannel-1_0.html[OpenID Connect Back-Channel Logout 1.0]. + + +// DO NOT MODIFY THIS LINE. + [#run] -=== Try it now +=== Try it now -To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE XX, Java SE 17, Java SE 11, and Java SE 8. +To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 21, Java SE 17, Java SE 11, and Java SE 8. // // // // // // // // // In the preceding section: // Check if a new non-LTS Java SE version is supported that needs to be added to the list (17, 11, and 8 are LTS and will remain for a while) // https://openliberty.io/docs/latest/java-se.html // // // // // // // // -If you're using link:{url-prefix}/guides/maven-intro.html[Maven], you can install the All Beta Features package using: +If you're using link:{url-prefix}/guides/maven-intro.html[Maven], you can install the All Beta Features package by using: [source,xml] ---- io.openliberty.tools liberty-maven-plugin - 3.8.2 + 3.10 io.openliberty.beta @@ -212,7 +143,7 @@ buildscript { mavenCentral() } dependencies { - classpath 'io.openliberty.tools:liberty-gradle-plugin:3.6.2' + classpath 'io.openliberty.tools:liberty-gradle-plugin:3.8' } } apply plugin: 'liberty' @@ -220,12 +151,7 @@ dependencies { libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[24.0.0.2-beta,)' } ---- -// // // // // // // // -// In the preceding section: -// Replace the Maven `3.8.2` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin -// Replace the Gradle `3.6.2` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin -// TODO: Update GHA to automatically do the above. If the maven.org is problematic, then could fallback to using the GH Releases for the plugins -// // // // // // // // + Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]: @@ -236,13 +162,13 @@ FROM icr.io/appcafe/open-liberty:beta Or take a look at our link:{url-prefix}/downloads/#runtime_betas[Downloads page]. -If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE. +If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools]. These tools enable effective development, testing, debugging, and application management all from within your IDE. For more information on using a beta release, refer to the link:{url-prefix}docs/latest/installing-open-liberty-betas.html[Installing Open Liberty beta releases] documentation. +See also link:{url-prefix}/blog/?search=beta&key=tag[previous Open Liberty beta blog posts]. + [#feedback] == We welcome your feedback Let us know what you think on link:https://groups.io/g/openliberty[our mailing list]. If you hit a problem, link:https://stackoverflow.com/questions/tagged/open-liberty[post a question on StackOverflow]. If you hit a bug, link:https://github.com/OpenLiberty/open-liberty/issues[please raise an issue]. - - From 164e9d24e9c2b8fc31f46f4d3e454996d701ddef Mon Sep 17 00:00:00 2001 From: David Mueller Date: Thu, 8 Feb 2024 11:14:57 -0500 Subject: [PATCH 03/10] edits --- posts/2024-02-13-24.0.0.2-beta.adoc | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index 957acf747..ecdec832e 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -6,8 +6,8 @@ categories: blog author_picture: https://avatars3.githubusercontent.com/dmuelle author_github: https://github.com/dmuelle seo-title: Back-channel logout support for OpenID Connect clients and servers in 24.0.0.2-beta - OpenLiberty.io -seo-description: OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally -blog_description: OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally +seo-description: OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally. +blog_description: OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally. open-graph-image: https://openliberty.io/img/twitter_card.jpg open-graph-image-alt: Open Liberty Logo --- @@ -20,8 +20,6 @@ David Mueller OpenID Connect clients and servers in Open Liberty now support back-channel logout. Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally. -See also link:{url-prefix}/blog/?search=beta&key=tag[previous Open Liberty beta blog posts]. - // // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // // Blog issue: https://github.com/OpenLiberty/open-liberty/issues/27362 // Contact/Reviewer: jimmy1wu @@ -31,7 +29,7 @@ Previously, OpenID Connect servers could notify OpenID Connect clients that a us == Back-channel logout for OpenID Connect clients -With this release, back-channel logout is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. The following back-channel logout endpoints are enabled for those features: +With this release, back-channel logout for OpenID clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. The following back-channel logout endpoints are enabled for those features: * OpenID Connect Client: `/oidcclient/backchannel_logout/{clientId}` * Social Media Login: `/ibm/api/social-login/backchannel_logout/{clientId}` @@ -40,12 +38,12 @@ With this release, back-channel logout is enabled by default when the link:{url- Two options are available to enable back-channel logout for OpenID Connect servers: -* Use the `backchannel_logout_uri` metadata value to specify the OpenID Connect client's back-channel logout URI when the OAuth client is dynamically registered +* Use the `backchannel_logout_uri` metadata value to specify the OpenID Connect client's back-channel logout URI when the OAuth client is dynamically registered. * Use the `backchannelLogoutUri` attribute for OAuth clients that are defined in a `localStore` element. Also, the OpenID Connect server waits for a default of 180 seconds before the back-channel logout request times out. You can specify a custom duration by using the `backchannelLogoutRequestTimeout` attribute for the `openidConnectProvider` element. -The following `server.xml` file example demonstrates how to specify the back-channel logout URI that an OpenID Connect server uses to make back-channel logout requests with a timeout of 60 seconds. +The following `server.xml` file example demonstrates how to specify the back-channel logout URI that an OpenID Connect server uses to make back-channel logout requests, with a timeout of 60 seconds. [source,xml] ---- @@ -78,6 +76,7 @@ The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/ Optionally, you can add an `id_token_hint` that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP), a logout at the IdP also triggers sends back-channel logout requests to the OpenID Connect clients. For more information about the Open Liberty configuration options, see the following resources: + - link:{url-prefix}/docs/latest/reference/config/openidConnectClient.html[openidConnectClient] - link:{url-prefix}/docs/latest/reference/config/oidcLogin.html[oidcLogin] - link:{url-prefix}/docs/latest/reference/config/openidConnectProvider.html#oauthProvider[openidConnectProvider] From 02835a1301eae3201f9c462f044d72f46ee55ec3 Mon Sep 17 00:00:00 2001 From: Laura Cowen Date: Thu, 8 Feb 2024 20:47:34 +0000 Subject: [PATCH 04/10] Update blog_tags.json Created new `user story` tag to group posts about Open Liberty uses --- blog_tags.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/blog_tags.json b/blog_tags.json index b3bb02fce..b65684b63 100644 --- a/blog_tags.json +++ b/blog_tags.json @@ -519,6 +519,10 @@ "database-ssl-primer", "pre-populating-db-connections", "jakartaee9-data-source-transactions-20008-beta", "testing-database-connections-REST-APIs"] }, + { + "name": "user story", + "posts": [ "Primeur", "production-experience-open-liberty"] + }, { "name": "reactive", "posts": [ "23.0.0.11-beta", "reactive-developer-guides", From 1047484abc3c561f3abafb9ec3c5e5a5ca5521d2 Mon Sep 17 00:00:00 2001 From: Laura Cowen Date: Fri, 9 Feb 2024 13:02:26 +0000 Subject: [PATCH 05/10] Update blog_tags.json --- blog_tags.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog_tags.json b/blog_tags.json index b65684b63..294664663 100644 --- a/blog_tags.json +++ b/blog_tags.json @@ -520,7 +520,7 @@ "jakartaee9-data-source-transactions-20008-beta", "testing-database-connections-REST-APIs"] }, { - "name": "user story", + "name": "case-study", "posts": [ "Primeur", "production-experience-open-liberty"] }, { From 2f1eadc463f6546669f7b601eeab3d1ad8570050 Mon Sep 17 00:00:00 2001 From: David Mueller <48686014+dmuelle@users.noreply.github.com> Date: Mon, 12 Feb 2024 10:01:27 -0500 Subject: [PATCH 06/10] Update posts/2024-02-13-24.0.0.2-beta.adoc --- posts/2024-02-13-24.0.0.2-beta.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index ecdec832e..c0d7826c8 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -27,7 +27,7 @@ OpenID Connect clients and servers in Open Liberty now support back-channel logo Previously, OpenID Connect servers could notify OpenID Connect clients that a user logged out only by using iframes that were embedded in the OpenID Connect client's web page. If the web page wasn't active, the OpenID Connect client wasn't notified of the logout that occurred on the OpenID Connect server. Back-channel logout solves this problem through direct communication between the OpenID Connect server and clients. -== Back-channel logout for OpenID Connect clients +== Back-channel logout support for OpenID Connect clients With this release, back-channel logout for OpenID clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. The following back-channel logout endpoints are enabled for those features: From 1a21219f0f00d1c69e9054bb5f0b4153e087b2f1 Mon Sep 17 00:00:00 2001 From: David Mueller <48686014+dmuelle@users.noreply.github.com> Date: Mon, 12 Feb 2024 10:01:53 -0500 Subject: [PATCH 07/10] Update posts/2024-02-13-24.0.0.2-beta.adoc --- posts/2024-02-13-24.0.0.2-beta.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index c0d7826c8..6e750c4c6 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -34,7 +34,7 @@ With this release, back-channel logout for OpenID clients is enabled by default * OpenID Connect Client: `/oidcclient/backchannel_logout/{clientId}` * Social Media Login: `/ibm/api/social-login/backchannel_logout/{clientId}` -== Back-channel logout for OpenID Connect servers +== Back-channel logout support for OpenID Connect servers Two options are available to enable back-channel logout for OpenID Connect servers: From 1b44b2e844879673ee96591d9d54934329d4555a Mon Sep 17 00:00:00 2001 From: David Mueller Date: Mon, 12 Feb 2024 10:21:12 -0500 Subject: [PATCH 08/10] edits per review --- posts/2024-02-13-24.0.0.2-beta.adoc | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index 6e750c4c6..d966af4e9 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -29,16 +29,39 @@ Previously, OpenID Connect servers could notify OpenID Connect clients that a us == Back-channel logout support for OpenID Connect clients -With this release, back-channel logout for OpenID clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. The following back-channel logout endpoints are enabled for those features: +With this release, back-channel logout support for OpenID clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features: * OpenID Connect Client: `/oidcclient/backchannel_logout/{clientId}` * Social Media Login: `/ibm/api/social-login/backchannel_logout/{clientId}` +For example, when the OpenID Connect Client feature is enabled, the back-channel logout endpoint is `/oidcclient/backchannel_logout/client01` for the following configuration: + +[source,xml] +---- + + openidConnectClient-1.0 + +... + +---- + +Similarly, if the Social Media Login feature is enabled, the back-channel logout endpoint is `/ibm/api/social-login/backchannel_logout/client01` for the following configuration: + +[source,xml] +---- + + socialLogin-1.0 + +... + +---- + == Back-channel logout support for OpenID Connect servers Two options are available to enable back-channel logout for OpenID Connect servers: -* Use the `backchannel_logout_uri` metadata value to specify the OpenID Connect client's back-channel logout URI when the OAuth client is dynamically registered. +* Use the `backchannel_logout_uri` metadata value to specify the OpenID Connect client's back-channel logout URI when the OAuth client is dynamically registered by using the OpenID Connect provider's client registration endpoint. + * Use the `backchannelLogoutUri` attribute for OAuth clients that are defined in a `localStore` element. Also, the OpenID Connect server waits for a default of 180 seconds before the back-channel logout request times out. You can specify a custom duration by using the `backchannelLogoutRequestTimeout` attribute for the `openidConnectProvider` element. From 1d8481ee1bca1e4f1ed14d5cce67e71cc7c4dc58 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Mon, 12 Feb 2024 12:58:09 -0500 Subject: [PATCH 09/10] Update 2024-02-13-24.0.0.2-beta.adoc --- posts/2024-02-13-24.0.0.2-beta.adoc | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/posts/2024-02-13-24.0.0.2-beta.adoc b/posts/2024-02-13-24.0.0.2-beta.adoc index d966af4e9..2d423b4c9 100644 --- a/posts/2024-02-13-24.0.0.2-beta.adoc +++ b/posts/2024-02-13-24.0.0.2-beta.adoc @@ -29,12 +29,12 @@ Previously, OpenID Connect servers could notify OpenID Connect clients that a us == Back-channel logout support for OpenID Connect clients -With this release, back-channel logout support for OpenID clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features: +With this release, back-channel logout support for OpenID Connect clients is enabled by default when the link:{url-prefix}/docs/latest/reference/feature/openidConnectClient.html[OpenID Connect Client] and link:{url-prefix}/docs/latest/reference/feature/socialLogin.html[Social Media Login] features are enabled. When either of these features are enabled and an `openidConnectClient` or a `socialLogin` element is defined in the `server.xml` file, back-channel logout endpoints are also automatically enabled on the OpenID Connect client. The OpenID Connect server sends back-channel logout requests to these endpoints to log out the user at the OpenID Connect client. The OpenID Connect server needs the absolute URI of the back-channel logout endpoint to send the back-channel logout requests. The following back-channel logout endpoints are enabled for those features: -* OpenID Connect Client: `/oidcclient/backchannel_logout/{clientId}` -* Social Media Login: `/ibm/api/social-login/backchannel_logout/{clientId}` +* OpenID Connect Client: `/oidcclient/backchannel_logout/{oidcClientId}` +* Social Media Login: `/ibm/api/social-login/backchannel_logout/{socialLoginId}` -For example, when the OpenID Connect Client feature is enabled, the back-channel logout endpoint is `/oidcclient/backchannel_logout/client01` for the following configuration: +For example, when the OpenID Connect Client feature is enabled, the back-channel logout endpoint is `/oidcclient/backchannel_logout/oidcClientId` for the following configuration: [source,xml] ---- @@ -42,10 +42,10 @@ For example, when the OpenID Connect Client feature is enabled, the back-channel openidConnectClient-1.0 ... - + ---- -Similarly, if the Social Media Login feature is enabled, the back-channel logout endpoint is `/ibm/api/social-login/backchannel_logout/client01` for the following configuration: +Similarly, if the Social Media Login feature is enabled, the back-channel logout endpoint is `/ibm/api/social-login/backchannel_logout/socialLoginId` for the following configuration: [source,xml] ---- @@ -53,7 +53,7 @@ Similarly, if the Social Media Login feature is enabled, the back-channel logout socialLogin-1.0 ... - + ---- == Back-channel logout support for OpenID Connect servers @@ -92,11 +92,19 @@ The following `server.xml` file example demonstrates how to specify the back-cha ---- -Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients. +Now, when the OpenID Connect server's logout or `end_session` endpoint is invoked, the OpenID Connect server also sends back-channel logout requests to log out the user at the OpenID Connect clients. The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`. Optionally, you can add an `id_token_hint` query parameter that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. -The OpenID Connect server's logout endpoint is `/oidc/endpoint/{oidcProviderId}/logout` and the `end_session` endpoint is `/oidc/endpoint/{oidcProviderId}/end_session`. +For example, if the OpenID Connect server is hosted on `http://localhost:9081` and the user’s OpenID Connect server SSO cookie is available, then invoking either of the following endpoints causes the OpenID Connect server to also send back-channel logout requests to the configured back-channel logout URIs: -Optionally, you can add an `id_token_hint` that contains an ID Token that is issued by that OpenID Connect server to the endpoint request as a query parameter to help determine the user to log out. This configuration is useful in scenarios where the logout or `end_session` request is made without the user's OpenID Connect server SSO cookie. Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP), a logout at the IdP also triggers sends back-channel logout requests to the OpenID Connect clients. +* Logout endpoint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/logout` +* End session endpoint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/end_session` + +If the user’s OpenID Connect server SSO cookie is not available, such as when you invoke the endpoints by using a curl command, then an ID token that belongs to the user must be appended to the request by using the `id_token_hint` query parameter. + +* Logout endpoint with ID token hint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/logout?id_token_hint={id_token}` +* End session endpoint with ID token hint: `http://localhost:9081/oidc/endpoint/{oidcProviderId}/end_session?id_token_hint={id_token}` + +Also, if the OpenID Connect server is configured with a SAML Identity Provider (IdP) by using the link:https://openliberty.io/docs/latest/reference/feature/samlWeb-2.0.html[SAML Web Single Sign-On] feature, then a logout at the IdP also triggers the OpenID Connect server to send back-channel logout requests to the configured OpenID Connect clients. For more information about the Open Liberty configuration options, see the following resources: From a0fbec35adb0431149f6dc79521a2d8024c97e16 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Mon, 12 Feb 2024 13:42:40 -0500 Subject: [PATCH 10/10] add 24002-beta tags --- blog_tags.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/blog_tags.json b/blog_tags.json index b3bb02fce..882016c59 100644 --- a/blog_tags.json +++ b/blog_tags.json @@ -2,7 +2,7 @@ "blog_tags": [ { "name": "announcements", - "posts": ["24.0.0.1", + "posts": ["24.0.0.2-beta", "24.0.0.1", "24.0.0.1-beta", "liberty-certification", "23.0.0.12", "23.0.0.12-beta", "23.0.0.11", "23.0.0.11-beta", @@ -151,7 +151,7 @@ }, { "name": "release", - "posts": ["24.0.0.1", + "posts": ["24.0.0.2-beta", "24.0.0.1", "24.0.0.1-beta", "23.0.0.12", "23.0.0.12-beta","23.0.0.11", "23.0.0.11-beta", "23.0.0.10", @@ -206,7 +206,8 @@ }, { "name": "beta", - "posts": ["24.0.0.1-beta", "23.0.0.12-beta", + "posts": ["24.0.0.2-beta", + "24.0.0.1-beta", "23.0.0.12-beta", "23.0.0.11-beta", "23.0.0.10-beta", "23.0.0.9-beta", "23.0.0.8-beta", "23.0.0.7-beta", "23.0.0.6-beta", @@ -247,7 +248,8 @@ }, { "name": "security", - "posts": ["24.0.0.1", "23.0.0.12", + "posts": ["24.0.0.2-beta", + "24.0.0.1", "23.0.0.12", "23.0.0.10", "23.0.0.10-beta", "23.0.0.9", "23.0.0.8", "23.0.0.6-beta", "22.0.0.13",