Skip to content
GitLab

OIDC Authentication · Changes

Page history
Add oidc authentication authored by Jon Yu's avatar Jon Yu
Hide whitespace changes
Inline Side-by-side
OIDC-Authentication.md 0 → 100644
View page @ fcaa5f14
# OIDC Authentication
For single sign-on, this project utilizes the [mozilla-django-oidc](https://github.com/mozilla/mozilla-django-oidc) library.
More information for the library can be found [here](https://mozilla-django-oidc.readthedocs.io/en/stable/).
## Obtaining a client ID and secret
To set this up in your deployed environment, you'll need to first [create a Shibboleth request](https://its.umich.edu/accounts-access/shibboleth/configuration-request-form).
To submit the request, you will need to provide the URL to your application. You may want to ensure that your route is HTTPS secured with SSL/TLS first or you may need to make another request later to update the callback.
When filling out the form, the redirect uri will be your application url + /oidc/callback/
e.g.
https://new-app.its.umich.edu/ (application url)
https://new-app.its.umich.edu/oidc/callback/ (redirect uri)
## Configuring your app
Once you have obtained a client ID and secret, you will need to set the following environment variables:
- OIDC_RP_CLIENT_ID
- OIDC_RP_CLIENT_SECRET
- OIDC_OP_AUTHORIZATION_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/authorize
- OIDC_OP_TOKEN_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/token
- OIDC_OP_USER_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/userinfo
- OIDC_OP_JWKS_ENDPOINT=https://shibboleth.umich.edu/idp/profile/oidc/keyset
Replace OIDC_RP_CLIENT_ID and OIDC_RP_CLIENT_SECRET with the values provided from your Shibboleth request. The UM metadata can be found [here](https://shibboleth.umich.edu/.well-known/openid-configuration) if any of the endpoints change.
The following values are configurable, but optional:
- OIDC_RP_SIGN_ALGO
- OIDC_USERNAME_ALGO
- OIDC_RP_SCOPES
- OIDC_CREATE_USER
## Notes
You may want to read the documentation [here](https://its.umich.edu/accounts-access/shibboleth/protocol-options) to decide if OIDC is sufficient for your needs or if you need SAML-based authentication.
\ No newline at end of file