mirror of
https://github.com/DSpace/DSpace.git
synced 2025-10-16 14:33:09 +00:00
Requested changes
- Add sane fall-back defaults for OIDC, where possible. - Improve error logging for missing properties - Include authentication-oidc.cfg in dspace.cfg - Add configuration examples for OIDC to local.cfg-EXAMPLE - Improve authentication-oidc.cfg with sane defaults and more comments
This commit is contained in:
Hardy Pottinger
@@ -16,8 +16,11 @@ import static org.apache.commons.lang3.StringUtils.isBlank;
|
||||
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.sql.SQLException;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Map.Entry;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
@@ -147,11 +150,26 @@ public class OidcAuthenticationBean implements AuthenticationMethod {
|
||||
String redirectUri = configurationService.getProperty("authentication-oidc.redirect-url");
|
||||
String tokenUrl = configurationService.getProperty("authentication-oidc.token-endpoint");
|
||||
String userInfoUrl = configurationService.getProperty("authentication-oidc.user-info-endpoint");
|
||||
String scopes = String.join(" ", configurationService.getArrayProperty("authentication-oidc.scopes"));
|
||||
String email = getEmailAttribute();
|
||||
String[] defaultScopes =
|
||||
new String[] {
|
||||
"openid", "email", "profile"
|
||||
};
|
||||
String scopes = String.join(" ", configurationService.getArrayProperty("authentication-oidc.scopes", defaultScopes));
|
||||
|
||||
if (isAnyBlank(authorizeUrl, clientId, redirectUri, scopes, clientSecret, tokenUrl, userInfoUrl, email)) {
|
||||
if (isAnyBlank(authorizeUrl, clientId, redirectUri, clientSecret, tokenUrl, userInfoUrl)) {
|
||||
LOGGER.error("Missing mandatory configuration properties for OidcAuthenticationBean");
|
||||
|
||||
// prepare a Map of the properties which can not have sane defaults, but are still required
|
||||
final Map<String, String> map = Map.of("authorizeUrl", authorizeUrl, "clientId", clientId, "redirectUri", redirectUri, "clientSecret", clientSecret, "tokenUrl", tokenUrl, "userInfoUrl", userInfoUrl);
|
||||
final Iterator<Entry<String, String>> iterator = map.entrySet().iterator();
|
||||
|
||||
while (iterator.hasNext()) {
|
||||
final Entry<String, String> entry = iterator.next();
|
||||
|
||||
if (isBlank(entry.getValue())) {
|
||||
LOGGER.error(" * {} is missing", entry.getKey());
|
||||
}
|
||||
}
|
||||
return "";
|
||||
}
|
||||
|
||||
@@ -232,15 +250,15 @@ public class OidcAuthenticationBean implements AuthenticationMethod {
|
||||
}
|
||||
|
||||
private String getEmailAttribute() {
|
||||
return configurationService.getProperty("authentication-oidc.user-info.email");
|
||||
return configurationService.getProperty("authentication-oidc.user-info.email", "email");
|
||||
}
|
||||
|
||||
private String getFirstNameAttribute() {
|
||||
return configurationService.getProperty("authentication-oidc.user-info.first-name");
|
||||
return configurationService.getProperty("authentication-oidc.user-info.first-name", "given_name");
|
||||
}
|
||||
|
||||
private String getLastNameAttribute() {
|
||||
return configurationService.getProperty("authentication-oidc.user-info.last-name");
|
||||
return configurationService.getProperty("authentication-oidc.user-info.last-name", "family_name");
|
||||
}
|
||||
|
||||
private boolean canSelfRegister() {
|
||||
|
||||
@@ -1580,6 +1580,7 @@ include = ${module_dir}/altmetrics.cfg
|
||||
include = ${module_dir}/authentication.cfg
|
||||
include = ${module_dir}/authentication-ip.cfg
|
||||
include = ${module_dir}/authentication-ldap.cfg
|
||||
include = ${module_dir}/authentication-oidc.cfg
|
||||
include = ${module_dir}/authentication-password.cfg
|
||||
include = ${module_dir}/authentication-shibboleth.cfg
|
||||
include = ${module_dir}/authentication-x509.cfg
|
||||
|
||||
@@ -190,6 +190,9 @@ db.schema = public
|
||||
# LDAP authentication/authorization. See authentication-ldap.cfg for default configuration.
|
||||
#plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.LDAPAuthentication
|
||||
|
||||
# OIDC authentication/authorization. See authenication-oidc.cfg for default configuration.
|
||||
#plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.OIDCAuthentication
|
||||
|
||||
# Shibboleth authentication/authorization. See authentication-shibboleth.cfg for default configuration.
|
||||
# Check also the cors settings below
|
||||
#plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.ShibAuthentication
|
||||
|
||||
@@ -5,17 +5,20 @@
|
||||
# Authentication plugin, when it is enabled. #
|
||||
#---------------------------------------------------------------#
|
||||
|
||||
# The domain of the OpenID Connect server
|
||||
authentication-oidc.auth-server-domain =
|
||||
# The Realm on the OIDC server we should use for authentication
|
||||
authentication-oidc.auth-server-realm =
|
||||
|
||||
# The Base URL of all OIDC server endpoints
|
||||
authentication-oidc.auth-server-url =
|
||||
|
||||
# The URL of the Token endpoint
|
||||
authentication-oidc.token-endpoint =
|
||||
authentication-oidc.token-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/token
|
||||
|
||||
# The URL of the Authorize endpoint
|
||||
authentication-oidc.authorize-endpoint =
|
||||
authentication-oidc.authorize-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/auth
|
||||
|
||||
# The URL of the Introspect endpoint
|
||||
authentication-oidc.user-info-endpoint =
|
||||
authentication-oidc.user-info-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/userinfo
|
||||
|
||||
# The registered client id
|
||||
authentication-oidc.client-id =
|
||||
@@ -27,16 +30,19 @@ authentication-oidc.client-secret =
|
||||
authentication-oidc.redirect-url = ${dspace.server.url}/api/authn/oidc
|
||||
|
||||
# The scopes to request
|
||||
authentication-oidc.scopes =
|
||||
authentication-oidc.scopes = openid,email,profile
|
||||
|
||||
#Specify if the user can self register using OIDC (true|false). If not specified, true is assumed
|
||||
authentication-oidc.can-self-register =
|
||||
# Specify if the user can self register using OIDC (true|false). If not specified, true is assumed
|
||||
# This should match the configuration of the OIDC server you are using. The default setting for
|
||||
# Keycloak is true. Do set it to false if your OIDC server disallows self-registration. Otherwise,
|
||||
# leave this set to true.
|
||||
authentication-oidc.can-self-register = true
|
||||
|
||||
#Specify the attribute present in the user info json related to the user's email
|
||||
authentication-oidc.user-info.email =
|
||||
authentication-oidc.user-info.email = email
|
||||
|
||||
#Specify the attribute present in the user info json related to the user's first name
|
||||
authentication-oidc.user-info.first-name =
|
||||
authentication-oidc.user-info.first-name = given_name
|
||||
|
||||
#Specify the attribute present in the user info json related to the user's last name
|
||||
authentication-oidc.user-info.last-name =
|
||||
authentication-oidc.user-info.last-name = family_name
|
||||
Reference in New Issue
Block a user