Loading...
 
Skip to main content

History: OpenID Connect

Source of version: 5 (current)

Copy to clipboard
            OpenID Connect is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation.

New in ((Tiki23)). The library used is https://packagist.org/packages/steverhoades/oauth2-openid-connect-client

!! To enable OpenID Connect

Select Tiki and OpenID Connect from tiki-admin.php?page=login -> General preferences -> Authentication method.

Visit the OpenID Connect tab and fill the preferences page.

Tiki uses OpenID Connect with Authorization Code, after a successful login, the user is redirected to Tiki Login page, and a code is passed as query argument. Tiki will contact the OpenID auth endpoint to exchange the code for the Access Tokens.

The redirect URL should point to tiki-login.php.

!!! OKTA OpenID Connect (example)

To use OKTA services you need to create an account at https://www.okta.com. Okta offer trial accountant once your email validated you will be redirected to your Okta Dashboard.

<SERVER_DOMAIN>: https://my.okta.com

|| pref | value |
Issuer URL|<SERVER_DOMAIN>/oauth2/default
Provider URL Authorization|<SERVER_DOMAIN>/oauth2/default/v1/authorize
Provider URL user access token|<SERVER_DOMAIN>/oauth2/default/v1/token
JKWS URL|<SERVER_DOMAIN>/oauth2/default/v1/keys||

!!! Keycloak OpenID Connect (example)

<SERVER_DOMAIN>: https://my.server.com
Realm: master

|| pref | value |
Issuer URL|<SERVER_DOMAIN>/auth/realms/master
Provider URL Authorization|<SERVER_DOMAIN>/auth/realms/master/protocol/openid-connect/auth
Provider URL user access token|<SERVER_DOMAIN>/auth/realms/master/protocol/openid-connect/token
JKWS URL|<SERVER_DOMAIN>/auth/realms/master/protocol/openid-connect/certs||

Client ID and Client Secret are provided by the service.

!! How user is linked

After a successful login and access token retrieved, Tiki will use the user email to match against the existing users.

!! How user is created

If no user is matched and the preference "Create user if not registered in Tiki" is enabled, Tiki will use the prefered_username or the name, returned in the access_token, to create a new user and login the user right after.

If the username or name, are already in use, Tiki will return an error.


Alias: (alias(OIDC))