Page History
...
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses. |
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to automatically add all password authenticated user sessions to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session. |
Property: |
|
Example Value: |
|
Informational Note: | This option specifies the hashing algorithm to be used in converting plain-text passwords to more secure password digests. The example value is the default. You may select any digest algorithm available through java.security.MessageDigest on your system. At least MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 should be available, but you may have installed others. Most sites will not need to adjust this. |
Property: |
|
Example Value: |
|
Informational Note: | This option specifies a regular expression which all new passwords MUST validate against. By default, DSpace just requires a new password to be 8 or more characters (see above example value). However, sites can modify this regex in order to require more robust passwords of all users. One example of a complex rule is:
This example requires all users to adopt a more complex password:
|
Open ID Connect (OIDC) Authentication
...
To enable OIDC Authentication, you must ensure the org.dspace.authenticate.OidcAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| |
---|---|---|
Property: |
| |
Example Value: |
(NOTE: This setting may be repeated to support multiple AuthenticationMethods) (WARNING: it's easy to miss, the "camel case" for |
Configuring OIDC Authentication
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. There are many server implementations of OpenID Connect, including Keycloak and AWS Cognito.
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | (Optional) The root URL of the OpenID Connect server. This is optional, as it's only used to fill out each of the "-endpoint" configs below (see below). |
Property: | authentication-oidc.auth-server-realm |
Example Value: | authentication-oidc.auth-server-realm = dspace-realm |
Informational Note: | (Optional) The realm to authenticate against on the OpenID Connect server. This is optional, as it's only used to fill out each of the "-endpoint" configs below (see below). So, for some setups, it may be easier to configure the "-endpoint" configs directly INSTEAD OF the "auth-server-url" and "auth-server-realm" |
Property: | authentication-oidc.token-endpoint |
Example Value: | authentication-oidc.token-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/token |
Informational Note: | (Required) The URL of the OIDC Token endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value). However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. |
Property: | authentication-oidc.authorize-endpoint |
Example Value: | authentication-oidc.authorize-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/auth |
Informational Note: | (Required) The URL of the OIDC Authorize endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value). However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. |
Property: | authentication-oidc.user-info-endpoint |
Example Value: | authentication-oidc.user-info-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/userinfo |
Informational Note: | (Required) The URL of the OIDC Userinfo endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value). However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. |
Property: | authentication-oidc.client-id |
Example Value: | authentication-oidc.client-id = our-dspace |
Informational Note: | (Required) The registered OIDC client id for our DSpace server's use. No default value. |
Property: | authentication-oidc.client-secret |
Example Value: | authentication-oidc.client-secret = some-sort-of-hash |
Informational Note: | (Required) The registered OIDC client secret for our DSpace server's use. No default value. |
Property: | authentication-oidc.redirect-url |
Example Value: | authentication-oidc.redirect-url = ${dspace.server.url}/api/authn/oid |
Informational Note: | The URL users will be redirected to after a successful login. The example above is the default value, and it usually does not need to be updated. |
Property: | authentication-oidc.scopes |
Example Value: | authentication-oidc.scopes = openid,email,profile |
Informational Note: | The scopes to request from the OIDC server. The example above is the default value |
Property: | authentication-oidc.can-self-register |
Example Value: | authentication-oidc.can-self-register = true |
Informational Note: | Specify if the user can self register using OIDC (true|false). If not specified, true is assumed. If this is set to false, then only users with an existing EPerson in DSpace will be able to authenticate through OIDC. When set to true, an EPerson will be automatically created for each person who successfully authenticates through OIDC. |
Property: | authentication-oidc.user-info.email |
Example Value: | authentication-oidc.user-info.email = email |
Informational Note: | Specify the attribute present in the user info json related to the user's email. The default value is "email" |
Property: | authentication-oidc.user-info.first-name |
Example Value: | authentication-oidc.user-info.first-name = given_name |
Informational Note: | Specify the attribute present in the user info json related to the user's first/given name. The default value is "given_name" |
Property: | authentication-oidc.user-info.last-name |
Example Value: | authentication-oidc.user-info.last-name = family_name |
Informational Note: | Specify the attribute present in the user info json related to the user's last/family name. The default value is "family_name" |
Sample/Test OIDC Configuration
...