All Versions
- DSpace 7.x (Current Release)
- DSpace 8.x (Unreleased)
- DSpace 6.x (EOL)
- DSpace 5.x (EOL)
- More Versions...
Page History
...
Configuration File: |
|
|---|---|
Property: |
|
Example Value: |
|
Informational Note: | (Optional) The root URL of the OpenID Connect server. This is optional, as it's only used to fill out each of the "-endpoint" configs below (see below). |
| Property: | authentication-oidc.auth-server-realm |
| Example Value: | authentication-oidc.auth-server-realm = dspace-realm |
| Informational Note: | (Optional) The realm to authenticate against on the OpenID Connect server. This is optional, as it's only used to fill out each of the "-endpoint" configs below (see below). So, for some setups, it may be easier to configure the "-endpoint" configs directly INSTEAD OF the "auth-server-url" and "auth-server-realm" |
| Property: | authentication-oidc.token-endpoint |
| Example Value: | authentication-oidc.token-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/token |
| Informational Note: | (Required) The URL of the OIDC Token endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value). However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. |
| Property: | authentication-oidc.authorize-endpoint |
| Example Value: | authentication-oidc.authorize-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/auth |
| Informational Note: | (Required) The URL of the OIDC Authorize endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value). However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. |
| Property: | authentication-oidc.user-info-endpoint |
| Example Value: | authentication-oidc.user-info-endpoint = ${authentication-oidc.auth-server-url}/auth/realms/${authentication-oidc.auth-server-realm}/protocol/openid-connect/userinfo |
| Informational Note: | (Required) The URL of the OIDC Userinfo endpoint. This defaults to using the configured "auth-server-url" and "auth-server-realm" to determine the likely OIDC path for this endpoint (see example above for the default value). However, if that default path is incorrect, you may choose to hardcode the correct URL in this field. |
| Property: | authentication-oidc.client-id |
| Example Value: | authentication-oidc.client-id = our-dspace |
| Informational Note: | (Required) The registered OIDC client id for our DSpace server's use. No default value. |
| Property: | authentication-oidc.client-secret |
| Example Value: | authentication-oidc.client-secret = some-sort-of-hash |
| Informational Note: | (Required) The registered OIDC client secret for our DSpace server's use. No default value. |
| Property: | authentication-oidc.redirect-url |
| Example Value: | authentication-oidc.redirect-url = ${dspace.server.url}/api/authn/oid |
| Informational Note: | The URL users will be redirected to after a successful login. The example above is the default value, and it usually does not need to be updated. |
| Property: | authentication-oidc.scopes |
| Example Value: | authentication-oidc.scopes = openid,email,profile |
| Informational Note: | The scopes to request from the OIDC server. The example above is the default value |
| Property: | authentication-oidc.can-self-register |
| Example Value: | authentication-oidc.can-self-register = true |
| Informational Note: | Specify if the user can self register using OIDC (true|false). If not specified, true is assumed. If this is set to false, then only users with an existing EPerson in DSpace will be able to authenticate through OIDC. When set to true, an EPerson will be automatically created for each person who successfully authenticates through OIDC. |
| Property: | authentication-oidc.user-info.email |
| Example Value: | authentication-oidc.user-info.email = email |
| Informational Note: | Specify the attribute present in the user info json related to the user's email. The default value is "email" |
| Property: | authentication-oidc.user-info.first-name |
| Example Value: | authentication-oidc.user-info.first-name = given_name |
| Informational Note: | Specify the attribute present in the user info json related to the user's first/given name. The default value is "given_name" |
| Property: | authentication-oidc.user-info.last-name |
| Example Value: | authentication-oidc.user-info.last-name = family_name |
| Informational Note: | Specify the attribute present in the user info json related to the user's last/family name. The default value is "family_name" |
Sample/Test OIDC Configuration
One way to easily test OIDC Authentication is to use the PhantAuth test site at https://www.phantauth.net/. This site allows you to create a random OIDC client & a random OIDC user to authenticate as. So, it can be used to verify that DSpace's OIDC authentication is working in your system, but obviously is only meant for development/testing purposes.
To configure DSpace to use PhantAuth for authentication just requires the following updates to your local.cfg:
| Code Block |
|---|
# Enable OIDC
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.OidcAuthentication
# Settings for OIDC authentication
# Based on instructions at https://www.phantauth.net/doc/integration
authentication-oidc.authorize-endpoint = https://phantauth.net/auth/authorize
authentication-oidc.token-endpoint = https://phantauth.net/auth/token
authentication-oidc.user-info-endpoint = https://phantauth.net/auth/userinfo
# Obtain a random client-id and client-secret via https://phantauth.net/client
# Find the "client_id" and "client_secret" returned, and place those values in these next two configs.
authentication-oidc.client-id =
authentication-oidc.client-secret =
# Because PhantAuth uses random users, you MUST ensure self registration is enabled
# (This is the default setting though, which is why it's commented out)
# authentication-oidc.can-self-register = true |
Shibboleth Authentication
...
Overview
Content Tools