[OpenID] Add OpenID Connect support to LORIS #8255
Conversation
driusan
added
Release: Add to release notes
driusan
force-pushed
the
OpenIDConnect
branch
2 times, most recently
from
0e7b216
to
928b189
Compare
driusan
removed
the
State: Blocked
driusan
force-pushed
the
OpenIDConnect
branch
from
324010c
to
9390b6c
Compare
driusan
force-pushed
the
OpenIDConnect
branch
from
9390b6c
to
874e3cb
Compare
|
per Loris meeting Oct.10 - shouldn't be a big task, mostly review |
There was a problem hiding this comment.
I have tested this PR with 3 providers: Google, Globus and ORCID. Total success was only achieved with Google but I managed to authenticate with all of them. Here are my observations.
email_verified:
In all 3 cases, the request was not accepted when email_verified was in the scope parameter. It should probably be removed.
-
Google: For the 3 providers I tested, only Google had
email_verifiedin theirclaims_supportedarray. It was included in the response without it being present in thescope. Worked as expected once removed. -
Globus: Returns the
emailbut does not returnemail_verified. This causes an issue here but otherwise works. -
ORCID: Does not have
emailscope so cannot be immediately associated to an account. This provider would require an extra API call or some DB accommodations.
JWK::parseKeySet():
This only worked out the box for Google.
-
Globus: This error is thrown:
"kid" empty, unable to lookup correct key. I was able to get it to work by manually generating the key usingJWK::createPemFromModulusAndExponentand passing that toJWT::decode. -
ORCID: This error is thrown:
JWK must contain an "alg" parameter. I got it to work by passing$defaultAlg = 'RS256'toJWK::parseKeySet. This value can be obtained from the discovery config.
Notes:
- The code suggestion I made is because ORCID returns
"token_type":"bearer"all lowercase. - Perhaps inserting the module should be part of the patch.
client_idandclient_secretin theform_paramswas not required for any of the providers I used.- I will gladly test this with other providers, if requested. Let me know which one(s).
|
@jeffersoncasimir Thanks for the review. When I was writing it I used auth0, but you don't need to test it with that. I'm not sure what's actionable and what's not in your review. With Globus, is it a question of the software not supporting the email_verified claim, or a question of your email address not being verified with them? If we trust unverified email addresses claims I think it opens up security problems we don't want to deal with and I'm not sure how to move forward. For the JWK problems, is this a problem in our code, or a problem with the library we're using? Would upgrading the version of php-jwt used by LORIS potentially fix them? How do we move forward with this? |
Globus does not return
I am using the latest version of the library (firebase/php-jwt v6.9.0) and we are relying on its We cannot really use these providers right now though (no |
This adds support for the OpenID Connect protocol in LORIS, allowing us to include "Login with ...." links on the login page and delegate to third parties which implement the protocol such as Google or Facebook or Globus. For writing this, I used auth0 (because they allow http://localhost URLs for development.) When a user clicks the "Login with ...." link on the login page, they should be redirected to the third party to authenticate the request. If they authorize it, LORIS will check if a user exists with the email address returned. If it already exists, they will be logged in. If not, they will be redirected to the request account page with the known information (name and email address) populated. (We can not determine their site or project or radiologist/examiner status from the third party.)
driusan
force-pushed
the
OpenIDConnect
branch
from
cc9f570
to
aa35418
Compare
|
@jeffersoncasimir I rebased and removed the client_id/secret |
|
I also just removed email_verified from the scope. Since I'm not sure if they were required by the implementation I was using when developing and I don't think I have it setup anymore, could you test quickly with auth0 and confirm that it still works with Google? I think we should try and get Globus (used by some projects with overrides without using OIDC) and ORCID (highly demanded) working, but we can make issues for those and iterate on this. |
Brief summary of changes
This adds a new module, oidc, to add support for OpenID Connect to LORIS. This allows LORIS to be configured to login with third party identity providers (ie. "Login with Google", "Login with Facebook", etc).
If a user authenticates with an OIDC provider that's been configured the behaviour will depend on whether there is a user with the same email address that exists in LORIS. If a user exists, it will be logged in. If there is no user, they will be redirected to the Request Account page with the known information that came back from OpenID pre-filled.
Testing instructions (if applicable)
You will need to get credentials from an OpenID provider, the exact details of how to register your app will vary based on who you use. (I used auth0 for dev and testing since it allowed localhost URLs for testing, other providers only allow allow https:// on a top level domain to be used to register an app.)
After registering with your openid identity provider, you need to manually insert into the
openid_connect_providerswith the values that came from registering your app (except Name, which is internal to LORIS and used for displaying the "Login with.." text on the login page.) See description in the module README.