OIDC - AtlasOfLivingAustralia/documentation GitHub Wiki

OpenID Connect (OIDC)

Recent versions of CAS services and ALA modules with java 11 use the ala-auth-plugin that permits to authenticate users via OIDC instead of legacy CAS.

Configuration

To migrate from cas to oidc authentication you should have something like in your module configurations:

security:
  cas:
    enabled: false
  oidc:
    enabled: true

You also need to configure the OIDC provider in those applications:

security:
  oidc:
    discovery-uri: 'https://auth.your-l-a.site/cas/oidc/.well-known'
    client-id: 'ChangeMe'
    secret: 'ChangeMe'
    scope: 'openid profile email ala roles'

Automatically create the Client Id and Client Secret

Recent versions of ala-install (>= 2.1.14), generates in CAS that client/secret key for you and configure them in each ALA module. See this PR for more details.

Manually create the Client Id and Client Secret

But if you want to do this manually for some reason, here the steps to do it.

1. Go to OAuth Services section in cas-management:

2. Press the (+) icon and Create OIDC:

3. Fill the Basic section. Pay attention that the wildcards and url match your service url:

4. Client section should have some Client ID and Client Secret autogenerated for you (you can copy them to use later). Verify the checkboxes:

5. Fill the OIDC section:

6. Fill the Scopes section like this:

7. And press the Save icon. That is. Now just copy the Client ID and Client Secret in your LA module configuration as we mentioned at the beginning of this page to use it.