Add OIDC authentication to AtoM #1741
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anvit
reviewed
Feb 3, 2024
plugins/arOidcPlugin/config/arOidcPluginConfiguration.class.php
Outdated
Show resolved
Hide resolved
melaniekung
reviewed
Feb 6, 2024
anvit
approved these changes
Feb 6, 2024
Thanks @anvit and @melaniekung! I have made the last change to satisfy PHP_cs_fixer. I will rebase, squash and merge. |
sbreker
force-pushed
the
dev/auth-plugin
branch
from
e96c541 to
ea8e456
Compare
This commit adds support for OIDC (OpenID Connect) user authentication in AtoM, implemented in a new arOidcPlugin. The plugin also provides an optional mechanism for dynamically setting AclUserGroup membership on each login, based on the presence or absence of expected values in tokens returned from the OIDC endpoint during authentication. Configuration of the plugin is handled manually by editing configuration files rather than through the AtoM user interface to avoid a "chicken-egg" problem of needing to log into AtoM as an administrator in order to set up the authentication mechanism. The steps required to enable the plugin are as follows, with all paths relative to the AtoM root directory: - Activate the plugin by adding it to the $plugins array in config/ProjectConfiguration.class.php - Configure the OIDC settings in plugins/arOidcPlugin/config/app.yml - Change the default login module from user to OIDC in apps/qubit/config/settings.yml - Change the user class to oidcUser in apps/qubit/config/factories.yml Tasks such as DIP upload will use authenticateWithBasicAuth method in AtoM's base myUser user class to allow Archivematica to authenticate for DIP Upload using basic auth even when a single sign-on method such as OIDC is enabled in AtoM.
sbreker
force-pushed
the
dev/auth-plugin
branch
from
51ae624 to
fecda72
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds support for OIDC (OpenID Connect) user authentication in AtoM, implemented in a new arOidcPlugin.
The plugin also provides an optional mechanism for dynamically setting AclUserGroup membership on each login, based on the presence or absence of expected values in tokens returned from the OIDC endpoint during authentication.
Configuration of the plugin is handled manually by editing configuration files rather than through the AtoM user interface to avoid a "chicken-egg" problem of needing to log into AtoM as an administrator in order to set up the authentication mechanism. The steps required to enable the plugin are as follows, with all paths relative to the AtoM root directory:
Tasks such as DIP upload will use
authenticateWithBasicAuthmethod in AtoM's basemyUseruser class to allow Archivematica to authenticate for DIP Upload using basic auth even when a single sign-on method such as OIDC is enabled in AtoM.