Page History
...
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to limit self-registration to email addresses ending in a particular domain value. The above example would limit self-registration to individuals with "@mit.edu" email addresses and all ".ac.uk" email addresses. |
Property: |
|
Example Value: |
|
Informational Note: | This option allows you to automatically add all password authenticated user sessions to a specific DSpace Group (the group must exist in DSpace) for the remainder of their logged in session. |
Property: |
|
Example Value: |
|
Informational Note: | This option specifies the hashing algorithm to be used in converting plain-text passwords to more secure password digests. The example value is the default. You may select any digest algorithm available through java.security.MessageDigest on your system. At least MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 should be available, but you may have installed others. Most sites will not need to adjust this. |
Open ID Connect (OIDC) Authentication
Enabling OIDC Authentication
To enable OIDC Authentication, you must ensure the org.dspace.authenticate.OidcAuthentication
class is listed as one of the AuthenticationMethods in the following configuration:
Configuration File: |
| |
---|---|---|
Property: |
| |
Example Value: |
(NOTE: This setting may be repeated to support multiple AuthenticationMethods) (WARNING: it's easy to miss, the "camel case" for |
Configuring OIDC Authentication
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. There are many server implementations of OpenID Connect, including Keycloak and AWS Cognito.
Configuration File: |
|
---|---|
Property: |
|
Example Value: |
|
Informational Note: | The domain of the OpenID Connect server. |
Property: | authentication-oidc.token-endpoint |
Example Value: | authentication-oidc.token-endpoint = https://auth.example.com/auth/realms/example_realm/protocol/openid-connect/token |
Informational Note: | The URL of the OIDC Token endpoint |
Property: | authentication-oidc.authorize-endpoint |
Example Value: | authentication-oidc.authorize-endpoint = https://auth.example.com/auth/realms/example_realm/protocol/openid-connect/auth |
Informational Note: | The URL of the OIDC Authorize endpoint |
Property: | authentication-oidc.user-info-endpoint |
Example Value: | authentication-oidc.user-info-endpoint = https://auth.example.com/auth/realms/example_realm/protocol/openid-connect/userinfo |
Informational Note: | The URL of the OIDC Userinfo endpoint |
Property: | authentication-oidc.client-id |
Example Value: | authentication-oidc.client-id = our-dspace |
Informational Note: | The registered OIDC client id for our DSpace server's use |
Property: | authentication-oidc.client-secret |
Example Value: | authentication-oidc.client-secret = some-sort-of-hash |
Informational Note: | The registered OIDC client secret for our DSpace server's use |
Property: | authentication-oidc.redirect-url |
Example Value: | authentication-oidc.redirect-url = ${dspace.server.url}/api/authn/oid |
Informational Note: | The URL users will be redirected to after a successful login. The example is probably the correct setting. |
Property: | authentication-oidc.scopes |
Example Value: | authentication-oidc.scopes = openid,email,profile |
Informational Note: | The scopes to request from the OIDC server. The example is probably the correct setting. |
Property: | authentication-oidc.can-self-register |
Example Value: | authentication-oidc.can-self-register = false |
Informational Note: | Specify if the user can self register using OIDC (true|false). If not specified, true is assumed. |
Property: | authentication-oidc.user-info.email |
Example Value: | authentication-oidc.user-info.email = email |
Informational Note: | Specify the attribute present in the user info json related to the user's email. The example is probably the correct setting. |
Property: | authentication-oidc.user-info.first-name |
Example Value: | authentication-oidc.user-info.first-name = given_name |
Informational Note: | Specify the attribute present in the user info json related to the user's first/given name |
Property: | authentication-oidc.user-info.last-name |
Example Value: | authentication-oidc.user-info.last-name = family_name |
Informational Note: | Specify the attribute present in the user info json related to the user's last/family name |
...