Server

Using OpenID / OAuth2 in Login Screen

Updated: December 5, 2024

You can use any OpenID / OAuth 2 identity provider in the authentication chain. A Nuxeo addon, OpenID Authentication, is available to make this possible.

The default behavior is to display a sign-in button per identity provider to start the authentication challenge, then building the expected UserIdentificationInfo with the provided UserInfo.

By default, the username resolved with the identity provider user information must be in the user directory to allow it to access the Nuxeo Platform.

Installation

The Nuxeo addon OpenID Authentication enables you to use OpenID Connect, the identity layer on top of the OAuth 2.0 protocol, and so to use OAuth 2 providers as identity providers.

This addon requires no specific installation steps. It can be installed like any other package with nuxeoctl command line or from the Marketplace.

Configuration

Declaring a New Identity Provider in Nuxeo

<extension point="providers" target="org.nuxeo.ecm.platform.oauth2.openid.OpenIDConnectProviderRegistry">
    <provider>
        <name>GoogleOpenIDConnect</name>
        <label>Google</label>
        <description>Login using your Google account</description>
        <authorizationServerURL>https://accounts.google.com/o/oauth2/auth</authorizationServerURL>
        <tokenServerURL>https://accounts.google.com/o/oauth2/token</tokenServerURL>
        <userInfoURL>https://www.googleapis.com/oauth2/v1/userinfo</userInfoURL>
        <userInfoClass>org.nuxeo.ecm.platform.oauth2.openid.auth.google.GoogleUserInfo</userInfoClass>
        <userResolverClass>org.nuxeo.ecm.platform.oauth2.openid.auth.EmailBasedUserResolver</userResolverClass>
        <scope>https://www.googleapis.com/auth/userinfo.email</scope>
        <icon>/icons/google.png</icon>
        <authenticationMethod>url</authenticationMethod> <!-- could be "bearer", default is "url" -->
    </provider>
</extension>

This first contribution only defines the provider, but not the client name or client secret to prevent them to be in the base contribution file.

Setting up the Authorized Redirect URI

In your identity provider configuration, set up the Authorized Redirect URI to the Nuxeo server. For a local Nuxeo instance using GoogleOpenIDConnect for instance this would be:

  • With JSF UI:
      http://NUXEO_SERVER/nuxeo/nxstartup.faces?provider=GoogleOpenIDConnect&forceAnonymousLogin=true
    
  • With Web UI:
      http://NUXEO_SERVER/nuxeo/ui/?provider=GoogleOpenIDConnect&forceAnonymousLogin=true
    

Appending Provider Secrets

Set up the following values in your nuxeo.conf file depending on your target provider. You only need to set the ones related to your new provider.

# Github
nuxeo.openid.github.client.id=
nuxeo.openid.github.client.secret=

# Google
nuxeo.openid.google.client.id=
nuxeo.openid.google.client.secret=

# Google+
nuxeo.openid.googleplus.client.id=
nuxeo.openid.googleplus.client.secret=

# LinkedIn
nuxeo.openid.linkedin.client.id=
nuxeo.openid.linkedin.client.secret=

# Amazon Connect
nuxeo.openid.amazon.client.id=
nuxeo.openid.amazon.client.secret=

# Facebook Connect
nuxeo.openid.facebook.client.id=
nuxeo.openid.facebook.client.secret=

UserInfo Mapping

Each identity provider has its own way to handle user identity in its UserInfo endpoint. You may need to add your own mapping class.

You just have to extend the org.nuxeo.ecm.platform.oauth2.openid.auth.OpenIDUserInfo class with the expected fields. Do not forget to set it in your provider contribution.

You can take a look to our implementation like org.nuxeo.ecm.platform.oauth2.openid.auth.google.GoogleUserInfo or org.nuxeo.ecm.platform.oauth2.openid.auth.DefaultOpenIDUserInfo .

Username Resolution

By default we provide two username resolvers.

One is based on the email field: org.nuxeo.ecm.platform.oauth2.openid.auth.EmailBasedUserResolver. The second one handles username by concatenating the provider id and the user's subject field: org.nuxeo.ecm.platform.oauth2.openid.auth.StoredUserInfoResolver.

You can easily add your own by extending theorg.nuxeo.ecm.platform.oauth2.openid.auth.UserResolver class.

Others Parameters

You can change some behaviors by adding the following parameters in your nuxeo.conf file:

  • nuxeo.skip.oauth.token.state.check (default: false): Whether to skip checking if the provider response contains the correct OAuth 2 state. Default value if recommended for security.
  • nuxeo.oauth.auth.create.user (default: false): Create user on request if not exists.

Other OAuth 2 / OPenID Related Documentation