{"id":81936,"date":"2020-08-10T09:00:37","date_gmt":"2020-08-10T16:00:37","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/opensource\/?p=81936"},"modified":"2025-06-24T10:53:45","modified_gmt":"2025-06-24T17:53:45","slug":"securing-open-liberty-applications-azure-active-directory-openid-connect","status":"publish","type":"post","link":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/","title":{"rendered":"Securing Open Liberty applications with Azure Active Directory via OpenID Connect"},"content":{"rendered":"\n<p>Long gone are the days when you had to create your own user account management, authentication, and authorization for your web delivered software. Instead, contemporary applications leverage these functions (Identity and Access Management or IAM for short) from an external provider. As a full-featured Java application runtime, Open Liberty&nbsp;has great options for externally provided IAM.<\/p>\n\n\n\n<p>Open Liberty supports IAM mainstays, such as Social Media Login,&nbsp;SAML Web Single Sign-on, and OpenID Connect Client. In Bruce Tiffany&#8217;s blog post &#8220;<a href=\"https:\/\/openliberty.io\/blog\/2019\/08\/29\/securing-microservices-social-login-jwt.html\">Securing Open Liberty apps and micro-services with MicroProfile JWT and Social Media login<\/a>,&#8221; you have a solid example on how to use the Open Liberty Social Media Login feature to authenticate users using their existing social media credentials. In this blog post, let&#8217;s take a look at another example on how to configure the Liberty social login feature as an OpenID Connect client to secure Java applications with Azure Active Directory.<\/p>\n\n\n\n<p>The sample code used in this blog is hosted on this&nbsp;<a href=\"https:\/\/github.com\/Azure-Samples\/liberty-aad-oidc\">GitHub repository<\/a>. Feel free to check it out and follow its user guide to run the Java EE demo application before or after reading this blog.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"set-up-azure-active-directory\">Set up Azure Active Directory<\/h2>\n\n\n\n<p>Azure Active Directory (Azure AD) implements OpenID Connect (OIDC), an authentication protocol built on OAuth 2.0, which lets you securely sign in a user from Azure AD to an application. Before going into the sample code, you must first set up an Azure AD tenant and create an application registration with a redirect URL and client secret. The tenant ID, application (client) ID, and client secret are used by Open Liberty to negotiate with Azure AD to complete an OAuth 2.0 authorization code flow.<\/p>\n\n\n\n<p>Learn how to set up Azure AD from these articles:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/quickstart-create-new-tenant\">Create a new tenant<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/quickstart-register-app\">Register an application<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/howto-create-service-principal-portal#create-a-new-application-secret\">Add a new client secret<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configure-social-login-as-openid-connect-client\">Configure social login as OpenID Connect client<\/h2>\n\n\n\n<p>The following sample code shows how an application running on an Open Liberty server is configured with the&nbsp;<code>socialLogin-1.0<\/code>&nbsp;feature as an OpenID Connect client to authenticate a user from an OpenID Connect Provider, with Azure AD as the designated security provider.<\/p>\n\n\n\n<p>The relevant server configuration in&nbsp;<code>server.xml<\/code>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/Open-Liberty-code-snippet-1-1024x606.webp\" alt=\"Open Liberty code snippet\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/Azure-Samples\/liberty-aad-oidc\/blob\/master\/javaee-cafe\/src\/main\/liberty\/config\/server.xml\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Above code sample in GitHub repository<\/em><\/a><\/p>\n\n\n\n<p>The&nbsp;<code>oidcLogin<\/code> element has a large number of available configuration options in Open Liberty. With Azure AD, most of them are not required and you can use only the few options used in the code example. This is because Azure AD supports discovery endpoints as is shown in the code example. Discovery endpoints allow for most OpenID Connect configuration to be automatically retrieved by the client, significantly simplifying configuration. In addition, Azure AD instances follow a known pattern for discovery endpoint URLs, allowing us to parameterize the URL using a tenant ID. In addition to that, a client ID and secret are needed. <code>RS256<\/code>&nbsp;must be used as the signature algorithm with Azure AD.<\/p>\n\n\n\n<p>The&nbsp;<code>userNameAttribute<\/code>&nbsp;parameter is used to map a token value from Azure AD to a unique subject identity in Liberty. There are a number of Azure AD token values you can use that are&nbsp;<a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/access-tokens\">listed here<\/a>. Do be cautious, as the required tokens that exist for v1.0 and v2.0 differ (with v2.0 not supporting some v1.0 tokens). Either <code>preferred_username<\/code> or <code>oid<\/code> can be safely used, although in most cases you will probably want to use the <code>preferred_username<\/code>.<\/p>\n\n\n\n<p>Using Azure AD allows your application to use a certificate with a root CA signed by Microsoft&#8217;s public certificate. This certificate is added to the default <code>cacerts<\/code> of the JVM. Trusting the JVM default <code>cacerts<\/code> ensures a successful SSL handshake between the OIDC Client and Azure AD (i.e., setting the <code>defaultSSLConfig trustDefaultCerts<\/code> value to <code>true<\/code>).<\/p>\n\n\n\n<p>In our case, we assign all users authenticated via Azure AD the&nbsp;<code>users<\/code>&nbsp;role. More complex role mappings are possible with Liberty if desired.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"use-openid-connect-to-authenticate-users\">Use OpenID Connect to authenticate users<\/h2>\n\n\n\n<p>The sample application exposes a&nbsp;JSF client, which defines a Java EE security constraint that only users with the role <code>users<\/code> can access.<\/p>\n\n\n\n<p>The relevant configuration in&nbsp;<code>web.xml<\/code>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/Open-Liberty-code-snippet-2-1024x298.webp\" alt=\"Open Liberty code snippet\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/Azure-Samples\/liberty-aad-oidc\/blob\/master\/javaee-cafe\/src\/main\/webapp\/WEB-INF\/web.xml\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Above code sample in GitHub repository<\/em><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"workflow\">Workflow<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/convergence_scenarios_webapp_webapi-1024x587.webp\" alt=\"OpenID Connect sign-in and token acquisition flow\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><em>Picture 1: OpenID Connect sign-in and token acquisition flow from <\/em><a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/v2-protocols-oidc#protocol-diagram-access-token-acquisition\"><em>Microsoft identity platform and OpenID Connect protocol<\/em><\/a><\/p>\n\n\n\n<p>This is standard Java EE security. When an unauthenticated user attempts to access the JSF client, they are redirected to Microsoft to provide their Azure AD credentials. Upon success, the browser gets redirected back to the client with an authorization code. The client then contacts Microsoft again with the authorization code, client ID and secret to obtain an ID token and access token, and finally create an authenticated user on the client, which then gets access to the JSF client.<\/p>\n\n\n\n<p>To get authenticated user information, use the&nbsp;<code>@Inject<\/code>&nbsp;annotation to obtain a reference to the&nbsp;<code>javax.security.enterprise.SecurityContext<\/code>&nbsp;and call its method&nbsp;<code>getCallerPrincipal()<\/code>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/Open-Liberty-code-snippet-3-1024x216.webp\" alt=\"Open Liberty code snippet\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/Azure-Samples\/liberty-aad-oidc\/blob\/master\/javaee-cafe\/src\/main\/java\/cafe\/web\/view\/Cafe.java\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Above code sample in GitHub repository<\/em><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"secure-internal-rest-calls-using-jwt-rbac\">Secure internal REST calls using JWT RBAC<\/h2>\n\n\n\n<p>The&nbsp;<code>Cafe<\/code>&nbsp;bean depends on&nbsp;<code>CafeResource<\/code>, a REST service built with&nbsp;JAX-RS, to create, read, update and delete coffees. The&nbsp;<code>CafeResource<\/code> implements RBAC (role-based access control) using&nbsp;MicroProfile JWT to verify the groups claim of the token.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/Open-Liberty-code-snippet-4-1024x853.webp\" alt=\"Open Liberty code snippet\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/Azure-Samples\/liberty-aad-oidc\/blob\/master\/javaee-cafe\/src\/main\/java\/cafe\/web\/rest\/CafeResource.java\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Above code sample in GitHub repository<\/em><\/a><\/p>\n\n\n\n<p>The&nbsp;<code>admin.group.id<\/code>&nbsp;is injected into the application using&nbsp;MicroProfile Config&nbsp;at the application startup using the&nbsp;<code>ConfigProperty<\/code>&nbsp;annotation.&nbsp;MicroProfile JWT enables you to <code>@Inject<\/code> the JWT (JSON Web Token). The <code>CafeResource<\/code> REST endpoint receives the JWT with the <code>preferred_username<\/code> and <code>groups<\/code> claims from the ID Token issued by Azure AD in the OpenID Connect authorization workflow. The ID Token can be retrieved using the <code>com.ibm.websphere.security.social.UserProfileManager<\/code>&nbsp;and&nbsp;<code>com.ibm.websphere.security.social.UserProfile<\/code>&nbsp;APIs.<\/p>\n\n\n\n<p>Here is the relevant configuration snippet in&nbsp;<code>server.xml<\/code>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/Open-Liberty-code-snippet-5-1024x418.webp\" alt=\"Open Liberty code snippet\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/Azure-Samples\/liberty-aad-oidc\/blob\/master\/javaee-cafe\/src\/main\/liberty\/config\/server.xml\"><em>Above code sample in GitHub repository<\/em><\/a><\/p>\n\n\n\n<p>Note, the <code>groups<\/code> claim is not propagated by default and requires additional Azure AD configuration. To add a <code>groups<\/code> claim into the ID token, you will need to create a group with type as &#8216;Security&#8217; and add one or more members to it in Azure AD. In the application registration created as part of Azure AD configuration, you will also need to: find &#8216;Token configuration&#8217; &gt; select &#8216;Add groups claim&#8217; &gt; select &#8216;Security groups&#8217; as group types to include in ID token &gt; expand &#8216;ID&#8217; and select &#8216;Group ID&#8217; in &#8216;Customize token properties by type&#8217; section. Learn more details from these articles:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/fundamentals\/active-directory-groups-create-azure-portal\">Create a new group and add members<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/develop\/active-directory-optional-claims#configuring-groups-optional-claims\">Configuring groups optional claims<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"summary\">Summary<\/h2>\n\n\n\n<p>In this blog entry, we demonstrated how to effectively secure an Open Liberty&nbsp;application using OpenID Connect and&nbsp;Azure Active Directory. This write-up and the underlying <a href=\"https:\/\/github.com\/Azure-Samples\/liberty-aad-oidc\">official Azure sample<\/a>&nbsp;should also easily work for&nbsp;WebSphere Liberty. This effort is part of a broader collaboration between Microsoft and IBM to provide better guidance and tools for developers using Java EE, Jakarta EE (Java EE has been transferred to the Eclipse Foundation as Jakarta EE under vendor-neutral open source governance), and&nbsp;MicroProfile (MicroProfile is a set of open source specifications that build upon Java EE technologies and target the microservices domain) on Azure.<\/p>\n\n\n\n<p>We would like to hear from you as to what kind of tools and guidance you need. If possible, please\u00a0<a href=\"https:\/\/aka.ms\/migration-survey\">fill out a five-minute survey<\/a> on this topic and share your invaluable feedback\u2014especially if you are interested in working closely with us (for free) on a cloud migration case.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Long gone are the days when you had to create your own user account management, authentication, and authorization for your web delivered software. Instead, contemporary applications leverage these functions (Identity and Access Management or IAM for short) from an external provider. As a full-featured Java application runtime, Open Liberty&nbsp;has great options for externally provided IAM.<\/p>\n","protected":false},"author":5562,"featured_media":95468,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"msxcm_post_with_no_image":false,"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"post_tag":[2271],"content-type":[340],"topic":[2240,2241],"programming-languages":[],"coauthors":[1653],"class_list":["post-81936","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-community-partners","content-type-tutorials-and-demos","topic-application-development","topic-cloud","review-flag-1-1593580432-963","review-flag-2-1593580437-411","review-flag-free-1593619513-693","review-flag-lever-1593580265-989","review-flag-new-1593580248-669"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Securing Open Liberty applications with Azure Active Directory via OpenID Connect<\/title>\n<meta name=\"description\" content=\"In this blog entry, we demonstrate how to effectively secure an Open Liberty\u00a0application using OpenID Connect and\u00a0Azure Active Directory.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing Open Liberty applications with Azure Active Directory via OpenID Connect\" \/>\n<meta property=\"og:description\" content=\"In this blog entry, we demonstrate how to effectively secure an Open Liberty\u00a0application using OpenID Connect and\u00a0Azure Active Directory.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Open Source Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-08-10T16:00:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-24T17:53:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/convergence_scenarios_webapp_webapi.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1100\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Reza Rahman\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/convergence_scenarios_webapp_webapi.png\" \/>\n<meta name=\"twitter:creator\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:site\" content=\"@OpenAtMicrosoft\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Reza Rahman\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 min read\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/\"},\"author\":[{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/author\/reza-rahman\/\",\"@type\":\"Person\",\"@name\":\"Reza Rahman\"}],\"headline\":\"Securing Open Liberty applications with Azure Active Directory via OpenID Connect\",\"datePublished\":\"2020-08-10T16:00:37+00:00\",\"dateModified\":\"2025-06-24T17:53:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/\"},\"wordCount\":1212,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO20b_Jayesh_office_001.webp\",\"keywords\":[\"Community\/partners\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/\",\"name\":\"Securing Open Liberty applications with Azure Active Directory via OpenID Connect\",\"isPartOf\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO20b_Jayesh_office_001.webp\",\"datePublished\":\"2020-08-10T16:00:37+00:00\",\"dateModified\":\"2025-06-24T17:53:45+00:00\",\"description\":\"In this blog entry, we demonstrate how to effectively secure an Open Liberty\u00a0application using OpenID Connect and\u00a0Azure Active Directory.\",\"breadcrumb\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#primaryimage\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO20b_Jayesh_office_001.webp\",\"contentUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO20b_Jayesh_office_001.webp\",\"width\":1170,\"height\":640},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/opensource.microsoft.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing Open Liberty applications with Azure Active Directory via OpenID Connect\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#website\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/\",\"name\":\"Microsoft Open Source Blog\",\"description\":\"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability\",\"publisher\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/opensource.microsoft.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#organization\",\"name\":\"Microsoft Open Source Blog\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"contentUrl\":\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"width\":259,\"height\":194,\"caption\":\"Microsoft Open Source Blog\"},\"image\":{\"@id\":\"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/OpenAtMicrosoft\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Securing Open Liberty applications with Azure Active Directory via OpenID Connect","description":"In this blog entry, we demonstrate how to effectively secure an Open Liberty\u00a0application using OpenID Connect and\u00a0Azure Active Directory.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/","og_locale":"en_US","og_type":"article","og_title":"Securing Open Liberty applications with Azure Active Directory via OpenID Connect","og_description":"In this blog entry, we demonstrate how to effectively secure an Open Liberty\u00a0application using OpenID Connect and\u00a0Azure Active Directory.","og_url":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/","og_site_name":"Microsoft Open Source Blog","article_published_time":"2020-08-10T16:00:37+00:00","article_modified_time":"2025-06-24T17:53:45+00:00","og_image":[{"width":1920,"height":1100,"url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/convergence_scenarios_webapp_webapi.png","type":"image\/png"}],"author":"Reza Rahman","twitter_card":"summary_large_image","twitter_image":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2020\/08\/convergence_scenarios_webapp_webapi.png","twitter_creator":"@OpenAtMicrosoft","twitter_site":"@OpenAtMicrosoft","twitter_misc":{"Written by":"Reza Rahman","Est. reading time":"5 min read"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#article","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/"},"author":[{"@id":"https:\/\/opensource.microsoft.com\/blog\/author\/reza-rahman\/","@type":"Person","@name":"Reza Rahman"}],"headline":"Securing Open Liberty applications with Azure Active Directory via OpenID Connect","datePublished":"2020-08-10T16:00:37+00:00","dateModified":"2025-06-24T17:53:45+00:00","mainEntityOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/"},"wordCount":1212,"commentCount":2,"publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO20b_Jayesh_office_001.webp","keywords":["Community\/partners"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/","url":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/","name":"Securing Open Liberty applications with Azure Active Directory via OpenID Connect","isPartOf":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#primaryimage"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#primaryimage"},"thumbnailUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO20b_Jayesh_office_001.webp","datePublished":"2020-08-10T16:00:37+00:00","dateModified":"2025-06-24T17:53:45+00:00","description":"In this blog entry, we demonstrate how to effectively secure an Open Liberty\u00a0application using OpenID Connect and\u00a0Azure Active Directory.","breadcrumb":{"@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#primaryimage","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO20b_Jayesh_office_001.webp","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2024\/06\/CLO20b_Jayesh_office_001.webp","width":1170,"height":640},{"@type":"BreadcrumbList","@id":"https:\/\/opensource.microsoft.com\/blog\/2020\/08\/10\/securing-open-liberty-applications-azure-active-directory-openid-connect\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/opensource.microsoft.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Securing Open Liberty applications with Azure Active Directory via OpenID Connect"}]},{"@type":"WebSite","@id":"https:\/\/opensource.microsoft.com\/blog\/#website","url":"https:\/\/opensource.microsoft.com\/blog\/","name":"Microsoft Open Source Blog","description":"Open dialogue about openness at Microsoft \u2013 open source, standards, interoperability","publisher":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/opensource.microsoft.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/opensource.microsoft.com\/blog\/#organization","name":"Microsoft Open Source Blog","url":"https:\/\/opensource.microsoft.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","contentUrl":"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","width":259,"height":194,"caption":"Microsoft Open Source Blog"},"image":{"@id":"https:\/\/opensource.microsoft.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/OpenAtMicrosoft"]}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Open Source Blog","distributor_original_site_url":"https:\/\/opensource.microsoft.com\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/81936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/users\/5562"}],"replies":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/comments?post=81936"}],"version-history":[{"count":1,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/81936\/revisions"}],"predecessor-version":[{"id":97648,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/posts\/81936\/revisions\/97648"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media\/95468"}],"wp:attachment":[{"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/media?parent=81936"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/post_tag?post=81936"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/content-type?post=81936"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/topic?post=81936"},{"taxonomy":"programming-languages","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/programming-languages?post=81936"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/opensource.microsoft.com\/blog\/wp-json\/wp\/v2\/coauthors?post=81936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}