History: OpenID Connect
Source of version: 5 (current)
Copy to clipboard
OpenID Connect is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation. New in ((Tiki23)). The library used is https://packagist.org/packages/steverhoades/oauth2-openid-connect-client !! To enable OpenID Connect Select Tiki and OpenID Connect from tiki-admin.php?page=login -> General preferences -> Authentication method. Visit the OpenID Connect tab and fill the preferences page. Tiki uses OpenID Connect with Authorization Code, after a successful login, the user is redirected to Tiki Login page, and a code is passed as query argument. Tiki will contact the OpenID auth endpoint to exchange the code for the Access Tokens. The redirect URL should point to tiki-login.php. !!! OKTA OpenID Connect (example) To use OKTA services you need to create an account at https://www.okta.com. Okta offer trial accountant once your email validated you will be redirected to your Okta Dashboard. <SERVER_DOMAIN>: https://my.okta.com || pref | value | Issuer URL|<SERVER_DOMAIN>/oauth2/default Provider URL Authorization|<SERVER_DOMAIN>/oauth2/default/v1/authorize Provider URL user access token|<SERVER_DOMAIN>/oauth2/default/v1/token JKWS URL|<SERVER_DOMAIN>/oauth2/default/v1/keys|| !!! Keycloak OpenID Connect (example) <SERVER_DOMAIN>: https://my.server.com Realm: master || pref | value | Issuer URL|<SERVER_DOMAIN>/auth/realms/master Provider URL Authorization|<SERVER_DOMAIN>/auth/realms/master/protocol/openid-connect/auth Provider URL user access token|<SERVER_DOMAIN>/auth/realms/master/protocol/openid-connect/token JKWS URL|<SERVER_DOMAIN>/auth/realms/master/protocol/openid-connect/certs|| Client ID and Client Secret are provided by the service. !! How user is linked After a successful login and access token retrieved, Tiki will use the user email to match against the existing users. !! How user is created If no user is matched and the preference "Create user if not registered in Tiki" is enabled, Tiki will use the prefered_username or the name, returned in the access_token, to create a new user and login the user right after. If the username or name, are already in use, Tiki will return an error. Alias: (alias(OIDC))