OIDC Integration#180
Conversation
- Integrated OpenID Connect (OIDC) authentication, allowing users to log in using OIDC providers. - Added OIDC settings to the admin page, including issuer URL, client ID, client secret, and various attributes. - Updated JavaScript to handle OIDC tab visibility and login button. - Included necessary dependencies in composer.json and updated the lock file. - Enhanced the authentication process to validate OIDC credentials and manage user data accordingly. - Updated documentation and comments for clarity on new OIDC features.
- Added functionality to manage multiple OIDC servers - Updated admin settings to include fields for custom labels, issuer URLs, client IDs, and other attributes for each OIDC server. - Implemented missing auto-login options for OIDC, enabling immediate redirection to specified OIDC servers. - Enhanced authentication logic to handle multiple OIDC server IDs and associated settings. - Improved session management for OIDC login and logout processes.
… email optional when this option is enabled
|
Awesome, thanks for the contribution! We'll review and let you know if we have any feedback. I'd like to set up an OIDC server to test this functionality, but it might be easier to just get me a sample login on UC System if there's a process for that. We also might be able to just test using OIDC with Google Logins, I haven't tried that before. |
|
Got it, I'll check with the UC IT folks. There's typically a good amount of hurdles in regard to creating an account, but I'll see if they're open to some type of restricted temporary login. |
|
Hi guys, sorry I added my revision commits to master instead of this pull request so you might need to open a new PR for additional revisions. This looks good, I only have one question about the OIDC logout implementation: PHP sessions by default only have a lifetime of 24 minutes so we may need to avoid relying on Let me know your thoughts |
|
@figureone Good notes; we captured back your changes and have made some revisions per the notes. I'll open up a new PR to incorporate those changes. |
Hello,
My team uses this plugin for our University of California customers. One of the collages we work with is transitioning away from CAS and moving towards OIDC as their recommended SSO method. We're hoping to see an OIDC module within the Authorizer plugin in the future.
The OIDC library I picked for this integration was https://github.com/jumbojett/OpenID-Connect-PHP as it seems to be the most widely used library, most contributors, etc. Majority of the heavy lifting is off-loaded to the library. The rest of the code changes within the plugin attempt to mirror the existing oAuth2 module as closely as possible.
In the interest of transparency, I'll note the code was mostly written within Cursor (AI agent) as we're experimenting with different AI tools. The code was reviewed by two of our developers and Q/Aed by myself, however we're by no means SSO, OIDC, or security specialists.
I have tested core functionality of the OIDC module specific to our customer's IdP and it works as expected. I have not tested:
Let me know if I can answer any questions. Our availability for adjustments varies dependent on client work volume, but if there are changes you'd like to see before considering this type of feature let me know.
Thanks!
-Sam