OpenID Connect

Server Smalltalk Guide : OAuth2.0 and OpenID Connect : OpenID Connect : OpenID Connect

OpenID Connect

Description

This is a client library that extends the OAuth2.0 client library with the OpenID Connect protocol which allows to implement authentication and single sign-on functionality. The OpenID Connect Core 1.0 and the OpenID Connect Discovery 1.0 specification are fully supported, except for point 2 (Issuer discovery). It passes all tests of the “Basic Relying Party” conformance profile.

How it works.

The OIDC support is implemented as an extension to the OAuth2 framework implementation. Therefore, see the documentation for the OAuth2 app first. Only the Authorization Code flow (authentication via web browser) is supported and the library provides convenience classes and methods for working with the Google and Microsoft providers, each having specific extensions to the protocol.

The configuration parameters for a client are generally obtained by reading the provider metadata from its well-known url using the <SstOIDCProviderMetadata> class. See the class' instance creation methods for more detail. Once the credentials are obtained, in addition to an access token, the OpenID Connect client also received a JWT (as per the OpenID Connect specification) which can be verified and validated on reception.

Code flow

The following code snippet illustrates how to use the library with the Authorization Code flow.

It is important to note that the redirection of the user to the authorization server is covered in this example uses a method available in the examples that can be loaded from the config map "VA: Server Smalltalk (SST) - OAuth2/OIDC Examples"

The examples show how to work with both an external web browser as well as a WebView2 window in a Seaside and a desktop UI application.

"Create a grant object and use it to create the url to which the user needs to be redirected to authenticate."

grant := SstOIDCAuthorizationCodeFlow 

    newWithClientId: '1234567890' 

    providerMetadata: (SstOIDCProviderMetadata fromIssuerUrl: 'https://accounts.google.com' sstAsUrl).

grant 

    clientSecret: 'abcdefghij';

    scope: 'openid email'.

"Use the async framework as also demonstrated in the implementation of the desktop application example"

(grant

    startAuthorization: [:authorizeUrl :callback |

        OAuth2AndOIDCDesktopDemoApplication new

            setupHttpListenerAt: 'http://:8888'

            callback: [:request | callback value: ('http://localhost:8888/callback', request header url) sstAsUrl].

        OsProcessStarter startShell: { 'start'. '"OIDC demo authorize"'. '"%1"' bindWith: authorizeUrl asString }]

    withCallbackAt: 'http://localhost:8888/callback' sstAsUrl

    state: 'random sample state')

        then: [:client | httpClientWithOAuth2 := client ]

        catch: [:error | self halt].

"Use the client to retrieve the userInfo or retrieve the JWT from the credentials so you can authenticate the user in a SSO scenario."

httpClientWithOAuth2 userInfo.

httpClientWithOAuth2 oauth2Credentials idTokenAsVerifiedSstJwt

Class Methods

None

Instance Methods

None

Last modified date: 01/15/2026