Use an IAM with OpenID Connect

[michmuel]

Who requested this new feature?

Canton Basel-Landschaft

Is your feature request related to a problem?

Context of the feature request: The GMF geoportal can be employed as an OAuth2 authorisation server. However, there is no functionality implemented that the geoportal can act as a resource server in the context of OAuth2/OpenID Connect where authentication and authorisation is handled by an independent server (e.g. cantonal adfs server).

The feature request is related to our intention of using GeoGirafe as web client. Specific user roles can be required for accessing parts of the data provided by GMF through GeoGirafe. Both user authentication and authorisation are handled by a cantonal server. The login/logout functionalities (redirection to the authentication server) would be handled by GeoGirafe. Relevant tokens for authorisation (containing e.g. the user roles) would be included in requests to GMF.

Describe the solution you'd like

We would like an extension of the GMF functionality in order that authorisation issued by another application based on OAuth2/OIDC can be processed.

Additional information or points to watch out for

• Coordination with the GeoGirafe project (e.g. login functionalities, handling and forwarding of relevant tokens (https://gitlab.com/geogirafe/gg-viewer/-/issues/171)
• Requirements from/to authentication/authorisation servers (e.g. cantonal/communal/organisational IT)