OpenID Connect (OIDC) Authentication

OpenID Connect (OIDC) Authentication allows users to login to a Cantemo system using a secondary user management system.

This works with any OIDC provider, such as Google Apps. But we recommend using a specific application as the provider, such as Keycloak https://www.keycloak.org/

This provides better configuration options for the authentication and session details than using for example Google Apps directly.

More information about OIDC: https://openid.net/connect/

Basic Usage

When a user comes to the login screen they will now have the additional option to log in using the configured OIDC provider.

../../_images/oidc_login_with_google.png

When the user clicks the second login button on the login page they will be redirected to the login screen of the identity provider.

When the user accepts the login, they are redirected back to Cantemo.

User email is used as the Cantemo username, additionally user First name and Last Name are set based on information from the provider.

All new users will be part of user group(s) defined by the admin.

The text on the OIDC login button is configurable.

Installation

1. The plugin uses https://github.com/mozilla/mozilla-django-oidc Python library that currently does not ship with the Cantemo installer. It must be installed with:

sudo -u www-data /opt/cantemo/python/bin/pip install mozilla-django-oidc==3.0.0

2. Add the authentication backend portal.plugins.oidc_auth.auth.OIDCAuthenticationBackend by editing /etc/cantemo/portal/portal.conf in your favourite editor, in the section [enable_extras]:

AUTHENTICATION_BACKENDS =
     portal.plugins.oidc_auth.auth.OIDCAuthenticationBackend,
     portal.vidispine.authentication.VidispineBackend,
     django.contrib.auth.backends.ModelBackend
  1. Make sure you have a User Group setup for new users logging in using this provider

4. Add OIDC configuration to /opt/cantemo/portal/portal/localsettings.py - see the two next chapters for examples. This must be done before restarting the Cantemo Services.

  1. Enable the OpenID Connect (OIDC) Authentication app from System > Overview

  2. Restart Cantemo services systemctl restart portal.target

OIDC Configuration

All the below configuration fields should be set in /opt/cantemo/portal/portal/localsettings.py

See /opt/cantemo/portal/portal/plugins/oidc_auth/localsettings_examples/ for full examples.

The following OICD Specific values must be set by the admin:

OIDC_RP_CLIENT_ID = "<id from keycloak>"
OIDC_RP_CLIENT_SECRET = "<secret from keycloak>"

Additionally the following, user group names for new users, must be set:

OIDC_AUTH_NEW_USER_GROUPS = ["<Name of User Group 1>", "<Name of User Group 2>"]

The following can be used to control the text in the login button:

OIDC_AUTH_LOGIN_BUTTON_TEXT = "Log in with Keycloak"

Additionally server end-points for authentication, token, userinfo and certs must be defined. In the case of Keycloak these can be derived from the main Keycloak address, in the case of Google they are global defaults.

See below for more information.

Provider Specific Configuration Examples

Keycloak

Example configuration is available at /opt/cantemo/portal/portal/plugins/oidc_auth/localsettings_examples/keycloak_example.txt

Fill in values for these rows:

OIDC_AUTH_NEW_USER_GROUPS = ["<Name of User Group>"]
OIDC_RP_CLIENT_ID = "<id from keycloak>"
OIDC_RP_CLIENT_SECRET = "<secret from keycloak>"
KEYCLOAK_SERVER_OPEN_CONNECT_ID_URL = "http://<key cloak server address>/realms/development/protocol/openid-connect/"

Google

Example configuration is available at /opt/cantemo/portal/portal/plugins/oidc_auth/localsettings_examples/google_example.txt

Fill in values for these mandatory rows:

OIDC_AUTH_NEW_USER_GROUPS = ["<Name of User Group>"]
OIDC_RP_CLIENT_ID = "<Client ID from Google>"
OIDC_RP_CLIENT_SECRET = "<Client Secret from Google>"

Setting up OIDC for a Google Apps domain

To use “Log in with Google” you must have a domain that is connected with Google Apps (e.g. uses GMail).

You must add a project to the Google Apps domain and enable OAuth 2.0 on the project. Documentation for this is available at https://developers.google.com/identity/openid-connect/openid-connect

High-level steps in the Google Cloud Console are:

  1. Create a New Project

  2. Configure OAuth consent screen
    • User Type: Internal

    • Make sure to fill in “App domain” - full URL domain for your Cantemo system

    • And also “Authorized domains” - plain domain for your Cantemo system

    • For “scopes” select “email”, “openid” and “profile”

  3. Under Credentials create a new OAuth 2.0 client ID
    • “Authorized JavaScript origins” should be full Cantemo URL

    • “Authorized redirect URI” should point back to /oidc/callback/ on the server, for example https://cantemo.example.com/oidc/callback/

    • This will give the Client ID and Client Secret values to add to localsettings.py