Authentication and User Management

Using OpenID / OAuth2 in Login Screen

Updated: July 17, 2023

You can use any OpenID / OAuth2 identity provider in the authentication chain. The default behavior is to display a sign-in button per identity provider to start the authentication challenge, then building the expected UserIdentificationInfo with the provided UserInfo.

By default, the username resolved with the identity provider user information must be in the user directory to allow it to access the Nuxeo Platform.

Configuration

Declaring a New IdentityProvider

Target: org.nuxeo.ecm.platform.oauth2.openid.OpenIDConnectProviderRegistry Extension Point: providers

      <provider>
        <name>GoogleOpenIDConnect</name>
        <label>Google</label>
        <description>Login using your Google account</description>
        <authorizationServerURL>https://accounts.google.com/o/oauth2/auth</authorizationServerURL>
        <tokenServerURL>https://accounts.google.com/o/oauth2/token</tokenServerURL>
        <userInfoURL>https://www.googleapis.com/oauth2/v1/userinfo</userInfoURL>
        <userInfoClass>org.nuxeo.ecm.platform.oauth2.openid.auth.google.GoogleUserInfo</userInfoClass>
        <userResolverClass>org.nuxeo.ecm.platform.oauth2.openid.auth.EmailBasedUserResolver</userResolverClass>
        <scope>https://www.googleapis.com/auth/userinfo.email</scope>
        <icon>/icons/google.png</icon>
      </provider>

This first contribution only defines the provider, but not the client name or client secret to prevent them to be in the base contribution file.

Appending Provider Secrets

There are two ways to handle it.

Using a Second Contribution

This contribution is only read the first time you register a provider.

Require: org.nuxeo.ecm.platform.oauth2.openid.google Target: org.nuxeo.ecm.platform.oauth2.openid.OpenIDConnectProviderRegistry Extension Point: providers

      <provider>
        <name>GoogleOpenIDConnect</name>
        <clientId><!--enter your clientId here --></clientId>
        <clientSecret><!--enter your clientSecret key here --></clientSecret>
      </provider>

Using the Admin Tab

Once registered, you should be able to view/edit it though the Admin tab to set your client id, secret, scopes, etc.

UserInfo Mapping

Each identity provider has its own way to handle user identity in his UserInfo endpoint. You may need to add your own mapping class.

You just have to extend the org.nuxeo.ecm.platform.oauth2.openid.auth.OpenIDUserInfo class with the expected fields. Do not forget to set it in your provider contribution.

You can take a look to our implementation like org.nuxeo.ecm.platform.oauth2.openid.auth.google.GoogleUserInfo or org.nuxeo.ecm.platform.oauth2.openid.auth.DefaultOpenIDUserInfo .

Username Resolution

By default we provide two username resolvers.

One is based on the email field (org.nuxeo.ecm.platform.oauth2.openid.auth.EmailBasedUserResolver). The second one that handles username by concatenating the provider id and the user's subject field (org.nuxeo.ecm.platform.oauth2.openid.auth.StoredUserInfoResolver).

You can easily add your own by extending theorg.nuxeo.ecm.platform.oauth2.openid.auth.UserResolver class.

Others Parameters

You have the possibility to change some behaviors by adding the following parameters in your nuxeo.conf:

  • nuxeo.skip.oauth.token.state.check (default: false): Whether to skip checking if the provider response contains the correct OAuth2 state. Default value if recommended for security.
  • nuxeo.oauth.auth.create.user (default: false): Create user on request if not exists.

 


Other OAuth / OPenID Related Documentation