OpenID Connect 1.0
is an authentication layer based on the OAuth 2.0
protocol. It enables clients to obtain the end user's identity from an authentication provider in a REST-like manner.
Goobi workflow can function and be configured as an OpenID Connect Client
. During implementation, particular care was taken to ensure that as many OpenID Connect
providers as possible can be addressed. For this reason, the settings in goobi_config.properties
are relatively complex.
In addition, the login
endpoint must be activated in the API. To do this, a new entry is created in the goobi_rest.xml
:
With these settings, a user will be redirected to the authentication provider's page the first time they visit Goobi workflow. There, the user is either already logged in and is redirected back to Goobi workflow or he or she must first log in and is then redirected to Goobi workflow.
Once the user has been forwarded, Goobi checks the authentication provider's reply for validity and searches for a user with an SSO-ID
that matches the email
claim from the OpenID Connect reply. If a user can be found, he or she is then logged in.