OIDC Authentication
For single sign-on, this project utilizes the mozilla-django-oidc library.
More information for the library can be found here.
Obtaining a client ID and secret
To set this up in your deployed environment, you'll need to first create a Shibboleth request.
To submit the request, you will need to provide the URL to your application. You may want to ensure that your route is HTTPS secured with SSL/TLS first or you may need to make another request later to update the callback.
When filling out the form, the redirect uri will be your application url + /oidc/callback/
e.g.
https://new-app.its.umich.edu/ (application url)
https://new-app.its.umich.edu/oidc/callback/ (redirect uri)
Configuring your app
Once you have obtained a client ID and secret, you will need to set the following environment variables:
- OIDC_RP_CLIENT_ID
- OIDC_RP_CLIENT_SECRET
- OIDC_OP_AUTHORIZATION_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/authorize
- OIDC_OP_TOKEN_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/token
- OIDC_OP_USER_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/userinfo
- OIDC_OP_JWKS_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/keyset
Replace OIDC_RP_CLIENT_ID and OIDC_RP_CLIENT_SECRET with the values provided from your Shibboleth request. The UM metadata can be found here if any of the endpoints change.
The following values are configurable, but optional:
- OIDC_RP_SIGN_ALGO
- OIDC_USERNAME_ALGO
- OIDC_RP_SCOPES
- OIDC_CREATE_USER
Notes
You may want to read the documentation here to decide if OIDC is sufficient for your needs or if you need SAML-based authentication.