Versions Compared

Old Version 7

changes.mady.by.user Mirko Grothe

Saved on

compared with

New Version 8

changes.mady.by.user Hardy Pottinger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add OIDC authentication docs

...

Configuration File:

[dspace]/config/modules/authentication-password.cfg

Property:

authentication-password.domain.valid

Example Value:

authentication-password.domain.value = @mit.edu, .ac.uk

Informational Note:

This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses.

Property:

authentication-password.login.specialgroup

Example Value:

authentication-password.login.specialgroup = My DSpace Group

Informational Note:

This option allows you to automatically add all password authenticated user sessions to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session.

Property:

authentication-password.digestAlgorithm

Example Value:

authentication-password.digestAlgorithm = SHA-512

Informational Note:

This option specifies the hashing algorithm to be used in converting plain-text passwords to more secure password digests. The example value is the default. You may select any digest algorithm available through java.security.MessageDigest on your system. At least MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 should be available, but you may have installed others. Most sites will not need to adjust this.

Open ID Connect (OIDC) Authentication

Enabling OIDC Authentication

To enable OIDC Authentication, you must ensure the org.dspace.authenticate.OidcAuthentication class is listed as one of the AuthenticationMethods in the following configuration:

Configuration File:

[dspace]/config/modules/authentication.cfg

Property:

plugin.sequence.org.dspace.authenticate.AuthenticationMethod

Example Value:


plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.OidcAuthentication

(NOTE: This setting may be repeated to support multiple AuthenticationMethods)

Configuring OIDC Authentication

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. There are many server implementations of OpenID Connect, including Keycloak and AWS Cognito.

Configuration File:

[dspace]/config/modules/authentication-oidc.cfg

Property:

authentication-oidc.auth-server-domain

Example Value:

authentication-oidc.auth-server-domain = auth.example.com

Informational Note:

The domain of the OpenID Connect server.

Property:authentication-oidc.token-endpoint
Example Value:authentication-oidc.token-endpoint = https://auth.example.com/auth/realms/example_realm/protocol/openid-connect/token
Informational Note:The URL of the OIDC Token endpoint
Property:authentication-oidc.authorize-endpoint
Example Value:authentication-oidc.authorize-endpoint = https://auth.example.com/auth/realms/example_realm/protocol/openid-connect/auth
Informational Note:The URL of the OIDC Authorize endpoint
Property:authentication-oidc.user-info-endpoint
Example Value:authentication-oidc.user-info-endpoint = https://auth.example.com/auth/realms/example_realm/protocol/openid-connect/userinfo
Informational Note:The URL of the OIDC Userinfo endpoint
Property:authentication-oidc.client-id
Example Value:authentication-oidc.client-id = our-dspace
Informational Note:The registered OIDC client id for our DSpace server's use
Property:authentication-oidc.client-secret
Example Value:authentication-oidc.client-secret = some-sort-of-hash
Informational Note:The registered OIDC client secret for our DSpace server's use
Property:authentication-oidc.redirect-url
Example Value:authentication-oidc.redirect-url = ${dspace.server.url}/api/authn/oid
Informational Note:The URL users will be redirected to after a successful login. The example is probably the correct setting.
Property:authentication-oidc.scopes
Example Value:authentication-oidc.scopes = openid,email,profile
Informational Note:The scopes to request from the OIDC server. The example is probably the correct setting.
Property:authentication-oidc.can-self-register
Example Value:authentication-oidc.can-self-register = false
Informational Note:Specify if the user can self register using OIDC (true|false). If not specified, true is assumed.
Property:authentication-oidc.user-info.email
Example Value:authentication-oidc.user-info.email = email
Informational Note:Specify the attribute present in the user info json related to the user's email. The example is probably the correct setting.
Property:authentication-oidc.user-info.first-name
Example Value:authentication-oidc.user-info.first-name = given_name
Informational Note:Specify the attribute present in the user info json related to the user's first/given name
Property:authentication-oidc.user-info.last-name
Example Value:authentication-oidc.user-info.last-name = family_name
Informational Note:Specify the attribute present in the user info json related to the user's last/family name

Shibboleth Authentication

...