New Contribution: OpenId Authentication Plugin by Nelson Silva

I’m really pleased to tell you that Nuxeo now supports OpenId authentication, all thanks to our good friend Nelson Silva. Remember him? It’s one of the many things he’s helped us do.

What is OpenID authentication?

If you are not familiar with OpenID:

OpenID is a decentralized authentication protocol that makes it easy for people to sign up and access web accounts.

From a Nuxeo user point of view, it lets you log in with an existing OpenID provider account. No password needed, just make sure the user exists in Nuxeo having a common email address with your OpenID provider. Here’s an example:

I have an existing Nuxeo user who’s email is randomdude@gmail.com. Gmail is an OpenID provider. I’ve configured Nuxeo to use it as an OpenID provider. When I am on the login page, I now have a new choice. It’s a sign in with Gmail button. It will take me to Gmail which will ask me if I want to sign in to Nuxeo, or to sign in to Gmail if I have not already and then sign in to Nuxeo. And that’s it, you’re in. No username/password needed.

Configure a New OpenID Provider

As usual, there is a dedicated extension point. Here’s the default configuration for Gmail from the OpenID addon.

<?xml version="1.0"?>
<component name="org.nuxeo.ecm.platform.oauth2.openid.google" version="1.0">
  <requires>org.nuxeo.ecm.platform.oauth2.openid.OpenIDConnectProviderRegistry</requires>
  <extension
    target="org.nuxeo.ecm.platform.oauth2.openid.OpenIDConnectProviderRegistry"
    point="providers">
    <provider>
      <name>GoogleOpenIDConnect</name>
      <label>Google</label>
      <description>Login using your Google account</description>
      <authorizationServerURL>https://accounts.google.com/o/oauth2/auth</authorizationServerURL>
      <tokenServerURL>https://accounts.google.com/o/oauth2/token</tokenServerURL>
      <userInfoURL>https://www.googleapis.com/oauth2/v1/tokeninfo</userInfoURL>
      <scope>https://www.googleapis.com/auth/userinfo.email</scope>
      <icon>/icons/google.png</icon>
    </provider>
  </extension>
</component>

This configuration is incomplete as you still need to specify the clientID and the clientSecret. They are given to you by your OpenID provider (in this case Google) when you register an application through its developer console, which means you first need to declare your Nuxeo Web Application to Google. To do that, go to https://code.google.com/apis/console, then click on API Access, Create and Web Application. This pair of shared clientID/clientSecret is needed to make sure that your Nuxeo server and your OpenID provider (ex. Google) can trust each other.

So, once you have the clientID/clientSecret, create `nxserver/config/openid-config.xml`with the following content:

    <?xml version="1.0"?>
    <component name="org.nuxeo.ecm.platform.oauth2.openid.google.testing" version="1.0">
      <require>org.nuxeo.ecm.platform.oauth2.openid.google</require>
      <extension target="org.nuxeo.ecm.platform.oauth2.openid.OpenIDConnectProviderRegistry" point="providers">
       <provider>
        <name>GoogleOpenIDConnect</name>
        <clientId><!--enter your clientId here --></clientId>
        <clientSecret><!--enter your clientSecret key here --></clientSecret>
       </provider>
      </extension>
    </component>

The post New Contribution: OpenId Authentication Plugin by Nelson Silva appeared first on Nuxeo Blogs.