Requested changes

- Add sane fall-back defaults for OIDC, where possible.
- Improve error logging for missing properties
- Include authentication-oidc.cfg in dspace.cfg
- Add configuration examples for OIDC to local.cfg-EXAMPLE
- Improve authentication-oidc.cfg with sane defaults and more comments

dspace-api/src/main/java/org/dspace/authenticate/OidcAuthenticationBean.java

@@ -16,8 +16,11 @@ import static org.apache.commons.lang3.StringUtils.isBlank;
 
 import java.io.UnsupportedEncodingException;
 import java.sql.SQLException;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Map.Entry;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -147,11 +150,26 @@ public class OidcAuthenticationBean implements AuthenticationMethod {
         String redirectUri = configurationService.getProperty("authentication-oidc.redirect-url");
         String tokenUrl = configurationService.getProperty("authentication-oidc.token-endpoint");
         String userInfoUrl = configurationService.getProperty("authentication-oidc.user-info-endpoint");
-        String scopes = String.join(" ", configurationService.getArrayProperty("authentication-oidc.scopes"));
+        String[] defaultScopes =
-        String email = getEmailAttribute();
+            new String[] {
+                "openid", "email", "profile"
+            };
+        String scopes = String.join(" ", configurationService.getArrayProperty("authentication-oidc.scopes", defaultScopes));
 
-        if (isAnyBlank(authorizeUrl, clientId, redirectUri, scopes, clientSecret, tokenUrl, userInfoUrl, email)) {
+        if (isAnyBlank(authorizeUrl, clientId, redirectUri, clientSecret, tokenUrl, userInfoUrl)) {
             LOGGER.error("Missing mandatory configuration properties for OidcAuthenticationBean");
+
+            // prepare a Map of the properties which can not have sane defaults, but are still required
+            final Map<String, String> map = Map.of("authorizeUrl", authorizeUrl, "clientId", clientId, "redirectUri", redirectUri, "clientSecret", clientSecret, "tokenUrl", tokenUrl, "userInfoUrl", userInfoUrl);
+            final Iterator<Entry<String, String>> iterator = map.entrySet().iterator();
+    
+            while (iterator.hasNext()) {
+                final Entry<String, String> entry = iterator.next();
+    
+                if (isBlank(entry.getValue())) {   
+                    LOGGER.error(" * {} is missing", entry.getKey());
+                }
+            }
             return "";
         }
 
@@ -232,15 +250,15 @@ public class OidcAuthenticationBean implements AuthenticationMethod {
     }
 
     private String getEmailAttribute() {
-        return configurationService.getProperty("authentication-oidc.user-info.email");
+        return configurationService.getProperty("authentication-oidc.user-info.email", "email");
     }
 
     private String getFirstNameAttribute() {
-        return configurationService.getProperty("authentication-oidc.user-info.first-name");
+        return configurationService.getProperty("authentication-oidc.user-info.first-name", "given_name");
     }
 
     private String getLastNameAttribute() {
-        return configurationService.getProperty("authentication-oidc.user-info.last-name");
+        return configurationService.getProperty("authentication-oidc.user-info.last-name", "family_name");
     }
 
     private boolean canSelfRegister() {

dspace/config/dspace.cfg

@@ -1580,6 +1580,7 @@ include = ${module_dir}/altmetrics.cfg
 include = ${module_dir}/authentication.cfg
 include = ${module_dir}/authentication-ip.cfg
 include = ${module_dir}/authentication-ldap.cfg
+include = ${module_dir}/authentication-oidc.cfg
 include = ${module_dir}/authentication-password.cfg
 include = ${module_dir}/authentication-shibboleth.cfg
 include = ${module_dir}/authentication-x509.cfg

dspace/config/local.cfg.EXAMPLE

@@ -190,6 +190,9 @@ db.schema = public
 # LDAP authentication/authorization. See authentication-ldap.cfg for default configuration.
 #plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.LDAPAuthentication
 
+# OIDC authentication/authorization. See authenication-oidc.cfg for default configuration.
+#plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.OIDCAuthentication
+
 # Shibboleth authentication/authorization. See authentication-shibboleth.cfg for default configuration.
 # Check also the cors settings below
 #plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.ShibAuthentication

dspace/config/modules/authentication-oidc.cfg

@@ -5,17 +5,20 @@
 #          Authentication plugin, when it is enabled.           #
 #---------------------------------------------------------------#
 
-# The domain of the OpenID Connect server
+# The Realm on the OIDC server we should use for authentication
-authentication-oidc.auth-server-domain =
+authentication-oidc.auth-server-realm =
+
+# The Base URL of all OIDC server endpoints
+authentication-oidc.auth-server-url =
 
 # The URL of the Token endpoint
-authentication-oidc.token-endpoint =
+authentication-oidc.token-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/token
 
 # The URL of the Authorize endpoint
-authentication-oidc.authorize-endpoint =
+authentication-oidc.authorize-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/auth
 
 # The URL of the Introspect endpoint
-authentication-oidc.user-info-endpoint =
+authentication-oidc.user-info-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/userinfo
 
 # The registered client id
 authentication-oidc.client-id =
@@ -27,16 +30,19 @@ authentication-oidc.client-secret =
 authentication-oidc.redirect-url = ${dspace.server.url}/api/authn/oidc
 
 # The scopes to request
-authentication-oidc.scopes = 
+authentication-oidc.scopes = openid,email,profile
 
-#Specify if the user can self register using OIDC (true|false). If not specified, true is assumed
+# Specify if the user can self register using OIDC (true|false). If not specified, true is assumed
-authentication-oidc.can-self-register = 
+# This should match the configuration of the OIDC server you are using. The default setting for
+# Keycloak is true. Do set it to false if your OIDC server disallows self-registration. Otherwise,
+# leave this set to true.
+authentication-oidc.can-self-register = true
 
 #Specify the attribute present in the user info json related to the user's email
-authentication-oidc.user-info.email =
+authentication-oidc.user-info.email = email
 
 #Specify the attribute present in the user info json related to the user's first name
-authentication-oidc.user-info.first-name = 
+authentication-oidc.user-info.first-name = given_name
 
 #Specify the attribute present in the user info json related to the user's last name
-authentication-oidc.user-info.last-name = 
+authentication-oidc.user-info.last-name = family_name