The OpenID Connect (or OIDC) standard support is closely related to our OAuth Login Options, as it has been based on the OAuth 2.0 standard. Quick summary: OIDC is using OAuth 2.0, but adds a standardized way how authentication is done, while this is up to providers when using OAuth 2.0 for authentication.
Being a standard, you can easily enable the use of any OpenID connect compliant provider out there for login into your Dataverse installation.
Some prominent provider examples:
You can also either host an OpenID Connect identity management on your own or use a customizable hosted service:
Just like with OAuth Login Options you need to obtain a Client ID and a Client Secret from your provider(s).
Note
Dataverse does not support OpenID Connect Dynamic Registration. You need to apply for credentials out-of-band.
Dataverse will discover all necessary metadata for a given provider on its own (this is part of the standard).
To enable this, you need to specify an Issuer URL when creating the configuration for your provider (see below).
Finding the issuer URL is best done by searching for terms like “discovery” in the documentation of your provider.
The discovery document is always located at <issuer url>/.well-known/openid-configuration
(standardized).
To be sure, you can always lookup the issuer
value inside the live JSON-based discovery document.
Please create a file like this, replacing every <...>
with your values:
{
"id":"<a unique id>",
"factoryAlias":"oidc",
"title":"<a title - shown in UI>",
"subtitle":"<a subtitle - currently unused in UI>",
"factoryData":"type: oidc | issuer: <issuer url> | clientId: <client id> | clientSecret: <client secret>",
"enabled":true
}
Now load the configuration into Dataverse using the same API as with OAuth Login Options:
curl -X POST -H 'Content-type: application/json' --upload-file my-oidc-provider.json http://localhost:8080/api/admin/authenticationProviders
Dataverse will automatically try to load the provider and retrieve the metadata. Watch the Glassfish log for errors. You should see the new provider under “Other options” on the Log In page, as described in the Account Creation + Management section of the User Guide.
By default, the Log In page will show the “builtin” provider, but you can adjust this via the :DefaultAuthProvider
configuration option. For details, see Configuration.
Hint
In contrast to our OAuth Login Options, you can use multiple providers by creating distinct configurations enabled by the same technology and without modifying the Dataverse code base (standards for the win!).