Difference between revisions of "OpenID Connect"

From TMM Wiki
Jump to navigationJump to search
Line 11: Line 11:
 
* Enter the password that your member area(s) is(are) going to use for the token endpoint authentication into the MEMBER_OPENID_CLIENT_SECRET field
 
* Enter the password that your member area(s) is(are) going to use for the token endpoint authentication into the MEMBER_OPENID_CLIENT_SECRET field
 
* Decide what domain (and protocol) you will use for the authorization (login) page as well as the token and the userinfo endpoints
 
* Decide what domain (and protocol) you will use for the authorization (login) page as well as the token and the userinfo endpoints
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>poop<br>
 
poop<br>
 
poop<br>
 
poop<br>poop<br>poop<br>
 
poop<br>
 
poop<br>poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
poop<br>
 
  
 
== Authentication Domain ==
 
== Authentication Domain ==

Revision as of 17:01, 2 August 2018

NATS 4
Members Admin
The Members Admin
View Member Details
Add Member
MySQL Auth
Mod Authn DB
Multisite Access
Member Logging
Member Password Retrieval
OpenID Connect
Mod Auth OpenIDC
ID Numbers

As of version 4.1.21.1 NATS can be used as an OpenID Connect server. This is another option for member authentication. In order to utilize this feature, you will need to use an OpenID Connect client. When developing this feature, we used the mod_auth_openidc apache module. Here is an example implementation. Unlike the standard OpenID Connect server implemantaion, consent for the surfer to provide protected details (like username and email) to the client (members area) is implied.

Initial NATS Setup

  • Go to the NATS config admin -> surfers and scroll down to the 'Member OpenID Connect Server' section
  • Enable the ENABLE_MEMBER_OPENID config option
  • Provide a list of all ips defined on your member area server(s) by entering it into the MEMBER_OPENID_SECURE_IPS field
  • Enter the password that your member area(s) is(are) going to use for the token endpoint authentication into the MEMBER_OPENID_CLIENT_SECRET field
  • Decide what domain (and protocol) you will use for the authorization (login) page as well as the token and the userinfo endpoints

Authentication Domain

You have a couple options when deciding what domain (and protocol) will be used for the authorization (login) page as well as the token and the userinfo endpoints.

  1. You can use the main NATS url. In this case, the value of the PROJECT_HOSTNAME config setting will be used for the domain and the protocol will be determined by the PROJECT_HOSTNAME_DISPLAY_HTTPS config setting.
  2. You can provide a single domain (and protocol) to use via the MEMBER_OPENID_DOMAIN config setting. This is very similar to the option above, except that it will be different than the main NATS domain.
  3. You can use each site's link domain. To do this, you will need to enabled the MEMBER_OPENID_DYNAMIC_DOMAIN config option.
  4. You can make a custom authentication domain for each site. This is very similar to the option above, except that it will be different than the domain of the join page (login.yoursite.com instead of join.yoursite.com). You will need to setup each of these domains in a similar way that you setup your link domains.

Claims