Versions Compared

Old Version 10

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 11

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update docs on configs

...

tokenendpointtoken-endpoint = https://auth.example.com/auth/realms/example_realm/protocol/openid-connect/token

Configuration File:

[dspace]/config/modules/authentication-oidc.cfg

Property:

authentication-oidc.auth-server-domainurl

Example Value:

authentication-oidc.auth-server-domain url = https://auth.example.com

Informational Note:

(Optional) The domain root URL of the OpenID Connect server.  This is optional, as it's only used to fill out each of the "-endpoint" configs below (see below).
So, for some setups, it may be easier to configure the "-endpoint" configs directly INSTEAD OF the "auth-server-url" and "auth-server-realm"

Property:authentication-oidc.auth-server-realm
Example Value:authentication-oidc.auth-server-realm = dspace-realm
Informational Note:(Optional) The realm to authenticate against on the OpenID Connect server.  This is optional, as it's only used to fill out each of the "-endpoint" configs below (see below).
So, for some setups, it may be easier to configure the "-endpoint" configs directly INSTEAD OF the "auth-server-url" and "auth-server-realm"
Property:authentication-oidc.token-endpoint
Example Value:authentication-oidc.token-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/token
Informational Note:(Required) The URL of the OIDC Token endpoint.  This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value).  However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. The URL of the OIDC Token endpoint
Property:authentication-oidc.authorize-endpoint
Example Value:authentication-oidc.authorize-endpoint = https://auth.example.com${authentication-oidc.auth-server-url}/auth/realms/example_realm${authentication-oidc.auth-server-realm}/protocol/openid-connect/authauth
Informational Note:(Required) The URL of the OIDC Authorize endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value).  However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. Informational Note:The URL of the OIDC Authorize endpoint
Property:authentication-oidc.user-info-endpoint
Example Value:authentication-oidc.user-info-endpoint = https://auth.example.com${authentication-oidc.auth-server-url}/auth/realms/example_realm${authentication-oidc.auth-server-realm}/protocol/openid-connect/userinfo
Informational Note:The URL of the OIDC Userinfo endpoint(Required)  The URL of the OIDC Userinfo endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value).  However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. 
Property:authentication-oidc.client-id
Example Value:authentication-oidc.client-id = our-dspace
Informational Note:(Required) The registered OIDC client id for our DSpace server's use. No default value.
Property:authentication-oidc.client-secret
Example Value:authentication-oidc.client-secret = some-sort-of-hash
Informational Note:(Required) The registered OIDC client secret for our DSpace server's use. No default value.
Property:authentication-oidc.redirect-url
Example Value:authentication-oidc.redirect-url = ${dspace.server.url}/api/authn/oid
Informational Note:The URL users will be redirected to after a successful login. The example above is probably the correct settingthe default value, and it usually does not need to be updated.
Property:authentication-oidc.scopes
Example Value:authentication-oidc.scopes = openid,email,profile
Informational Note:The scopes to request from the OIDC server. The example above is probably the correct setting.default value
Property:authentication-oidc.can-self-register
Example Value:authentication-oidc.can-self-register = falsetrue
Informational Note:

Specify if the user can self register using OIDC (true|false). If not specified, true is assumed

If this is set to false, then only users with an existing EPerson in DSpace will be able to authenticate through OIDC. When set to true, an EPerson will be automatically created for each person who successfully authenticates through OIDC.

Property:authentication-oidc.user-info.email
Example Value:authentication-oidc.user-info.email = email
Informational Note:Specify the attribute present in the user info json related to the user's email. The example is probably the correct setting.default value is "email"
Property:authentication-oidc.user-info.first-name
Example Value:authentication-oidc.user-info.first-name = given_name
Informational Note:Specify the attribute present in the user info json related to the user's first/given name. The default value is "given_name"
Property:authentication-oidc.user-info.last-name
Example Value:authentication-oidc.user-info.last-name = family_name
Informational Note:Specify the attribute present in the user info json related to the user's last/family name.  The default value is "family_name"

Shibboleth Authentication

...