Authentication - Orodan/Hilary GitHub Wiki

All authentication relies on PassportJS. Passport supports a lot of strategies out-of-the-box which can technically all be used.

So far the following strategies have been tested and are supported by the OAE team. All of them can be enabled or disabled at runtime:

Local authentication

A user can authenticate by submitting a form that contains a username and password.

CAS authentication

Users can login via CAS (Central Authentication Service). They will be redirected to the CAS login endpoint and when they return their ticket will be validated.

Configuration options:

• Name
  • The name that regular users would recognize as their institutional Single Sign On service
  • e.g., GT Login
• Service
  • The full URI of the CAS server. This should include the protocol (https)
  • e.g., https://login.gatech.edu
• Base path (optional)
  • The base path where the CAS servlet handlers are tied to
  • e.g., /cas
• Login path
  • The path where the login servlet handler is registered on
  • The combination of the URI, Base path and Login path will be used to redirect users to
  • e.g., /login
  • The above configuration result in https://login.gatech.edu/cas/login
• Logout path
  • The path where the logout servlet handler is registered on
  • e.g., /logout
• Service validation path
  • The path that can be used to validate tickets
  • e.g., /serviceValidate

Shibboleth authentication

Refer to the README in https://github.com/oaeproject/Hilary/tree/master/node_modules/oae-authentication/lib/strategies/shibboleth

Google authentication

Let users authenticate with their Google account.

You will need to register a web application on the Google API console (under API Access). Use the tenant host name to register your application with, you will need to create a key per tenant (e.g., "http://oae.oae-qa0.oaeproject.org").

After creating the web application make sure the path in the redirect url is set to "/api/auth/google/callback" (e.g., "http://oae.oae-qa0.oaeproject.org/api/auth/google/callback").

Once you've created your web application in the Google API Console, you can switch back to the OAE global administration panel and you'll be able to enable Google authentication. Go to the configuration for your tenant, click modules, select the 'OAE Authentication module' and perform the following tasks in the form:

• Check 'Allow Google authentication for tenant'
• Fill in the 'Google Client ID' (you can find it in the Google Console)
• Fill in the 'Google Client Secret' (you can find it in the Google Console)
• Click the Save configuration button.

Google authentication should now be enabled for your tenant.

Twitter authentication

Let users authenticate with their Twitter account. You will need to register an application on the Twitter Developer Website. When registering the app specify the callback url as https://<your-tenant>.oaeproject.org/api/auth/twitter/callback and provide the API key and secret from twitter in the OAE admin UI.

Facebook authentication

Let users authenticate with their Facebook account. You will need to:

• register an application on the Facebook Developer Website
• Set the app domains to something like 'oae-qa0.oaeproject.org'
• Enable the 'Website with Facebook Login' check
• Fill in the tenant base URL (e.g., https://oae.oae-qa0.oaeproject.org)
• Save the changes

Fill in the Facebook App ID and Secret on the tenant administration panel under authentication.