OpenID Connect Login Options

Introduction

The OpenID Connect (or OIDC) standard support is closely related to our OAuth Login Options, as it has been based on the OAuth 2.0 standard. Quick summary: OIDC is using OAuth 2.0, but adds a standardized way how authentication is done, while this is up to providers when using OAuth 2.0 for authentication.

Being a standard, you can easily enable the use of any OpenID connect compliant provider out there for login into your Dataverse installation.

Some prominent provider examples:

You can also either host an OpenID Connect identity management on your own or use a customizable hosted service:

  • Okta is a hosted solution
  • Keycloak is an open source solution for an IDM/IAM
  • Unity IDM is another open source IDM/IAM solution

Other use cases and combinations

  • Using your custom identity management solution might be a workaround when you seek for LDAP support, but don’t want to go for services like Microsoft Azure AD et al.
  • You want to enable users to login in multiple different ways but appear as one account to Dataverse. This is currently not possible within Dataverse itself, but hosting an IDM and attaching Dataverse solves it.
  • You want to use the eduGain Federation or other well known SAML federations, but don’t want to deploy Shibboleth as your service provider. Using an IDM solution in front easily allows you to use them without hassle.
  • There’s also a Shibboleth IdP (not SP!) extension, so if you already have a Shibboleth identity provider at your institution, you can reuse it more easily with Dataverse.
  • In the future, OpenID Connect might become a successor to the large scale R&E SAML federations we have nowadays. See also OpenID Connect Federation Standard (in development)

How to use

Just like with OAuth Login Options you need to obtain a Client ID and a Client Secret from your provider(s).

Note

Dataverse does not support OpenID Connect Dynamic Registration. You need to apply for credentials out-of-band.

Dataverse will discover all necessary metadata for a given provider on its own (this is part of the standard).

To enable this, you need to specify an Issuer URL when creating the configuration for your provider (see below).

Finding the issuer URL is best done by searching for terms like “discovery” in the documentation of your provider. The discovery document is always located at <issuer url>/.well-known/openid-configuration (standardized). To be sure, you can always lookup the issuer value inside the live JSON-based discovery document.

Please create a file like this, replacing every <...> with your values:

my-oidc-provider.json
{
  "id":"<a unique id>",
  "factoryAlias":"oidc",
  "title":"<a title - shown in UI>",
  "subtitle":"<a subtitle - currently unused in UI>",
  "factoryData":"type: oidc | issuer: <issuer url> | clientId: <client id> | clientSecret: <client secret>",
  "enabled":true
}

Now load the configuration into Dataverse using the same API as with OAuth Login Options:

curl -X POST -H 'Content-type: application/json' --upload-file my-oidc-provider.json http://localhost:8080/api/admin/authenticationProviders

Dataverse will automatically try to load the provider and retrieve the metadata. Watch the Glassfish log for errors. You should see the new provider under “Other options” on the Log In page, as described in the Account Creation + Management section of the User Guide.

By default, the Log In page will show the “builtin” provider, but you can adjust this via the :DefaultAuthProvider configuration option. For details, see Configuration.

Hint

In contrast to our OAuth Login Options, you can use multiple providers by creating distinct configurations enabled by the same technology and without modifying the Dataverse code base (standards for the win!).