Tested with Google's OpenID Connect and AAF
This plugin is for use with XNAT 1.7.5.x releases.
There are 2 ways to deploy XNAT-Web:
When you have deployed the specific version of XNAT Web, you will need to deploy this XNAT plugin. For more information, please XNAT documentation on how to deploy plugins.
Again there are 2 ways to accomplish this:
-
Download the latest development version here
-
Copy the plugin jar to your plugins folder:
cp build/libs/xnat-openid-auth-plugin-all-1.0.0-SNAPSHOT.jar /data/xnat/home/plugins
To build the XNAT OpenID authentication provider plugin:
-
If you haven't already, clone this repository and cd to the newly cloned folder.
-
Build the plugin:
./gradlew clean fatJar
On Windows, you can use the batch file:
gradlew.bat clean fatJar
This should build the plugin in the file build/libs/xnat-openid-auth-plugin-all-1.0.0-SNAPSHOT.jar (the version may differ based on updates to the code).
-
Build the plugin jar or download the latest development version here
-
Optionally run the tests:
./gradlew clean test
-
Copy the plugin jar to your plugins folder:
cp build/libs/xnat-openid-auth-plugin-all-1.0.0-SNAPSHOT.jar /data/xnat/home/plugins
After deploying the plugin, you will need to configure it.
XNAT searches for authentication plugin configurations by looking for files whose names match the pattern:
*-provider.properties
It looks in the following locations:
- On the classpath in the folder META-INF/xnat/auth
- In a folder named auth under the XNAT home folder (usually configured with the xnat.home system variable)
This plugin will use any entries located in any of those properties files where the property type is set to "openid". See the sample properties in the resources directory.
The following properties control the plugin:
Comma delimited list of provide ids, currently tested with Google google
, AAF aaf
, and WUSTL wustl
.
The main domain, needed to build the full preEstablishedRedirUri
The return leg of OpenID request after the provider has authenticated, defaults to <siteUrl>/openid-login
The ID obtained on app registration
The Secret obtained on app registration
Controls the scopes returned by the server: openid,profile,email
Controls the link HTML snippet displayed on the Login page for this provider. Location of the link text can optionally be customised by modifying Login.vm
.
Controls whether domains of the email should be compared against the whitelist: allowedEmailDomains
.
Comma delimted whitelist of domains.
Allows skipping of user creation, usually set to true.
Flag to set the enabled
property of new users, set to false to allow admins to manually enable users before allowing logins, set to true to allow immediate access.
Flag to set the verified
property of new users.
The optional URI of the UserInfo endpoint. If present then a call will be exchanged to this endpoint to collect additional information about the user.
The property names used to populate user information during user creation. These are the property names from the information returned from the authentication provider.
Toggle username & password login visibility on the login form
Flag to enable the PKCE feature in the authrozation code grant flow
Default pattern to define auth_user field of the xhbm_xdat_user_auth table
Sample configuration files are found here. Please note the need to rename these files before usage, see opening section of the file.