OpenID-Connect authentication
IAM supports brokered OpenID Connect authentication to external identity providers (e.g., Google).
When brokered OpenID Connect authentication is turned on a IAM instance, users can log into the service delegating authentication to one of the supported OpenID Connect providers (OP).
To enable brokered OpenID Connect authentication on your IAM instance you have to:
- Obtain client credentials and other configuration details for each of the external OpenID Connect providers;
- Provide the OIDC configuration file defining the configuration of the supported OPs;
- Enable the
oidcprofile.
Obtain OP configuration and client credentials
In order to act as a relying party (RP) for an external OpenID Connect provider (OP), IAM will need at least:
- client credentials (a clientId and clientSecret);
- an OpenID Connect provider discovery endpoint URL;
As an example, see the the Google identity platform OpenID Connect guide for help on this.
Provide the OIDC configuration
Google configuration
If Google is the only OpenID Connect provider you want to support, the configuration embedded in the IAM war file already provides what you need, and you just need to:
-
Enable the
oidcprofile; -
Pass the google client credentials to IAM via the following environment variables:
IAM_GOOGLE_CLIENT_IDIAM_GOOGLE_CLIENT_SECRET
Multiple providers configuration
To configure multiple providers, or to override the default configuration, you must
provide an application-oidc.yaml configuration file and make it available to IAM.
Trusted OPs are configured for IAM via the application-oidc.yaml configuration file.
This is a Spring Boot configuration file that is activated when the oidc profile is turned on.
The default configuration file, embedded in the IAM war file, supports the configuration of a single provider, Google, for backward compatibility, and looks like this:
oidc:
providers:
- name: google
issuer: https://accounts.google.com
client:
clientId: ${IAM_GOOGLE_CLIENT_ID}
clientSecret: ${IAM_GOOGLE_CLIENT_SECRET}
redirectUris: ${iam.baseUrl}/openid_connect_login
scope: openid,profile,email,address,phone
loginButton:
text: Google
style: btn-social btn-google
image:
fa-icon: google
This configuration allows to configure support for Google by:
- activating the
oidcprofile; - Setting the
IAM_GOOGLE_CLIENT_IDandIAM_GOOGLE_CLIENT_SECRETenvironment variables to provide the Google client credentials;
To enable multiple providers, you need to override the default oidc configuration.
oidc:
providers:
- name: google
issuer: https://accounts.google.com
client:
clientId: ${IAM_GOOGLE_CLIENT_ID}
clientSecret: ${IAM_GOOGLE_CLIENT_SECRET}
redirectUris: ${iam.baseUrl}/openid_connect_login
scope: openid,profile,email,address,phone
loginButton:
text: Google
style: btn-social btn-google
image:
fa-icon: google
- name: egi-checkin
issuer: ${IAM_CHECKIN_ISSUER}
client:
clientId: ${IAM_CHECKIN_CLIENT_ID}
clientSecret: ${IAM_CHECKIN_CLIENT_SECRET}
redirectUris: ${iam.baseUrl}/openid_connect_login
scope: ${IAM_CHECKIN_CLIENT_SCOPE:openid,profile,email}
loginButton:
text: EGI CheckIn
title: Sign in with EGI CheckIn
image:
url: https://egi.eu/wp-content/uploads/2016/05/cropped-logo_site-1-300x300.png
size: medium
The example configuration above shows how to configure support for Google and
the EGI CheckIn provider, with a custom button configuration for the CheckIn
provider.
See the configuration reference for instructions on how to override the default IAM configuration.