You can use any OpenID / OAuth 2 identity provider in the authentication chain. A Nuxeo addon, OpenID Authentication, is available to make this possible.
The default behavior is to display a sign-in button per identity provider to start the authentication challenge, then building the expected UserIdentificationInfo
with the provided UserInfo
.
By default, the username resolved with the identity provider user information must be in the user directory to allow it to access the Nuxeo Platform.
Installation
The Nuxeo addon OpenID Authentication enables you to use OpenID Connect, the identity layer on top of the OAuth 2.0 protocol, and so to use OAuth 2 providers as identity providers.
This addon requires no specific installation steps. It can be installed like any other package with nuxeoctl command line or from the Update Center.
Configuration
Declaring a New Identity Provider in Nuxeo
<extension point="providers" target="org.nuxeo.ecm.platform.oauth2.openid.OpenIDConnectProviderRegistry">
<provider>
<name>GoogleOpenIDConnect</name>
<label>Google</label>
<description>Login using your Google account</description>
<authorizationServerURL>https://accounts.google.com/o/oauth2/auth</authorizationServerURL>
<tokenServerURL>https://accounts.google.com/o/oauth2/token</tokenServerURL>
<userInfoURL>https://www.googleapis.com/oauth2/v1/userinfo</userInfoURL>
<userInfoClass>org.nuxeo.ecm.platform.oauth2.openid.auth.google.GoogleUserInfo</userInfoClass>
<userResolverClass>org.nuxeo.ecm.platform.oauth2.openid.auth.EmailBasedUserResolver</userResolverClass>
<scope>https://www.googleapis.com/auth/userinfo.email</scope>
<icon>/icons/google.png</icon>
</provider>
</extension>
This first contribution only defines the provider, but not the client name or client secret to prevent them to be in the base contribution file.
Setting up the Authorized Redirect URI
In your identity provider configuration, set up the Authorized Redirect URI to the Nuxeo server. For a local Nuxeo instance using GoogleOpenIDConnect for instance this would be:
- With JSF UI:
http://NUXEO_SERVER/nuxeo/nxstartup.faces?provider=GoogleOpenIDConnect&forceAnonymousLogin=true
- With Web UI:
http://NUXEO_SERVER/nuxeo/ui/?provider=GoogleOpenIDConnect&forceAnonymousLogin=true
Appending Provider Secrets
Set up the following values in your nuxeo.conf file depending on your target provider. You only need to set the ones related to your new provider.
# Github
nuxeo.openid.github.client.id=
nuxeo.openid.github.client.secret=
# Google
nuxeo.openid.google.client.id=
nuxeo.openid.google.client.secret=
# Google+
nuxeo.openid.googleplus.client.id=
nuxeo.openid.googleplus.client.secret=
# LinkedIn
nuxeo.openid.linkedin.client.id=
nuxeo.openid.linkedin.client.secret=
# Amazon Connect
nuxeo.openid.amazon.client.id=
nuxeo.openid.amazon.client.secret=
# Facebook Connect
nuxeo.openid.facebook.client.id=
nuxeo.openid.facebook.client.secret=
UserInfo Mapping
Each identity provider has its own way to handle user identity in its UserInfo
endpoint. You may need to add your own mapping class.
You just have to extend the org.nuxeo.ecm.platform.oauth2.openid.auth.OpenIDUserInfo
class with the expected fields. Do not forget to set it in your provider contribution.
You can take a look to our implementation like org.nuxeo.ecm.platform.oauth2.openid.auth.google.GoogleUserInfo
or org.nuxeo.ecm.platform.oauth2.openid.auth.DefaultOpenIDUserInfo
.
Username Resolution
By default we provide two username resolvers.
One is based on the email field: org.nuxeo.ecm.platform.oauth2.openid.auth.EmailBasedUserResolver
. The second one handles username by concatenating the provider id and the user's subject field: org.nuxeo.ecm.platform.oauth2.openid.auth.StoredUserInfoResolver
.
You can easily add your own by extending theorg.nuxeo.ecm.platform.oauth2.openid.auth.UserResolver
class.
Others Parameters
You can change some behaviors by adding the following parameters in your nuxeo.conf file:
nuxeo.skip.oauth.token.state.check
(default:false
): Whether to skip checking if the provider response contains the correct OAuth 2 state. Default value if recommended for security.nuxeo.oauth.auth.create.user
(default:false
): Create user on request if not exists.