You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+61Lines changed: 61 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -291,6 +291,67 @@ a|authentication.json
291
291
|===
292
292
In general, if you add a custom property, the Admin UI writes changes to the `authentication.json` or `ui-configuration.json` files.
293
293
294
+
[#social-providers-module-details]
295
+
=== SOCIAL_PROVIDERS Module Configuration Options
296
+
297
+
The `SOCIAL_PROVIDERS` module is a meta-module (template) that dynamically generates `OPENID_CONNECT` and `OAUTH` authentication modules at startup for supported providers registered in the `IdentityProviderService`. The identity provider configurations themselves (client IDs, client secrets, authorization endpoints, etc.) are defined in `conf/identityProviders.json`, not inside the `SOCIAL_PROVIDERS` module entry.
298
+
299
+
[NOTE]
300
+
======
301
+
The `SOCIAL_PROVIDERS` entry is removed from the active authentication module list at startup — it is never initialized as an authenticator itself. Each `OPENID_CONNECT` or `OAUTH` provider entry in `conf/identityProviders.json` results in exactly one generated authentication module.
a|Controls whether the meta-module activates and generates child modules. If set to `false`, no social provider auth modules are generated.
313
+
a|authentication.json
314
+
315
+
a|Default User Roles
316
+
a|openidm-authorized
317
+
a|List of roles inherited by all generated `OAUTH` and `OPENID_CONNECT` modules.
318
+
a|authentication.json
319
+
320
+
a|Method for Determining Roles
321
+
a|User Roles Property
322
+
a|How authorization roles are resolved. When set to `User Roles Property`, the value of the User Roles Property field is used as the attribute name on the managed object.
323
+
a|authentication.json
324
+
325
+
a|User Roles Property
326
+
a|authzRoles
327
+
a|The managed-object attribute used for authorization roles. Applies when Method for Determining Roles is set to `User Roles Property`.
a|A defined `queryId` searches against the `queryOnResource` endpoint. Leave blank to use `action=reauthenticate`.
341
+
a|authentication.json
342
+
343
+
a|Augment Security Context — Type
344
+
a|Javascript
345
+
a|Script language for the augment security context script. Supports `Javascript` or `Groovy`.
346
+
a|authentication.json
347
+
348
+
a|Augment Security Context — File Path
349
+
a|auth/populateAsManagedUserFromRelationship.js
350
+
a|Path to the security context script, relative to the `bin/defaults/script` directory. This script is inherited by all generated `OAUTH` and `OPENID_CONNECT` modules.
Copy file name to clipboardExpand all lines: openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
+45Lines changed: 45 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -480,6 +480,51 @@ Set up logins with OpenAM, to work with the related login session cookie, known
480
480
IWA::
481
481
The IWA module enables users to authenticate by using Integrated Windows Authentication (IWA), rather than by providing a username and password. For information about configuring the IWA module with OpenIDM, see xref:#openidm-auth-kerberos["Configuring IWA Authentication"].
482
482
483
+
[[social-providers-module]]SOCIAL_PROVIDERS::
484
+
The `SOCIAL_PROVIDERS` module is a __meta-module__ (template) that bridges the social identity provider configuration in `conf/identityProviders.json` and the OpenIDM authentication filter. It is not an authenticator itself — instead, at startup it scans all providers registered with the `IdentityProviderService`, removes itself from the active module list, and dynamically generates the corresponding `OPENID_CONNECT` or `OAUTH` authentication modules:
485
+
486
+
+
487
+
* For each provider of type `OPENID_CONNECT`, an `OPENID_CONNECT` auth module is generated with `openIdConnectHeader: "authToken"`.
488
+
* For each provider of type `OAUTH`, an `OAUTH` auth module is generated with `authTokenHeader: "authToken"` and `authResolverHeader: "provider"`.
489
+
490
+
+
491
+
The generated modules inherit the `augmentSecurityContext`, `propertyMapping`, and `defaultUserRoles` values from the `SOCIAL_PROVIDERS` template entry.
492
+
493
+
+
494
+
Providers are configured separately in `conf/identityProviders.json`, or via the Admin UI under *Configure > Social ID Providers*. The `SOCIAL_PROVIDERS` module acts as a single configuration point so that operators do not need to add individual `OPENID_CONNECT` or `OAUTH` entries to `authentication.json` for every social provider.
495
+
496
+
+
497
+
[NOTE]
498
+
======
499
+
Any `OPENID_CONNECT` or `OAUTH` modules that are __explicitly__ defined in `authentication.json` are independent of `SOCIAL_PROVIDERS` and will coexist alongside the dynamically generated modules. They are not managed or removed by `SOCIAL_PROVIDERS`.
500
+
======
501
+
502
+
+
503
+
A sample `SOCIAL_PROVIDERS` configuration is as follows:
For detailed property options, see xref:appendix-auth-modules.adoc#social-providers-module-details["SOCIAL_PROVIDERS Module Configuration Options"].
527
+
483
528
[#openid-connect-module]
484
529
OPENID_CONNECT::
485
530
The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads an OpenID Connect ID token (JWT) from an HTTP header (configured via `openIdConnectHeader`), validates it against the configured OIDC provider endpoints, and maps the authenticated identity to an OpenIDM managed object.
0 commit comments