Wiki Home

Grouper Release Announcements

Grouper Guides

Grouper Deployment Guide

Community Contributions

Internal Developer Resources

In v2.6.0+ we will add OIDC authn to WS.

  • Extracts the code from the authorization header (see below)
  • Will call token endpoint with POST and user/pass basic authn to retrieve the access token based on the code
  • Will call the userinfo endpoint to get the user attributes from the access token (no authn)
  • Resolve the subject from the configured userinfo claim


External system in grouper.properties

############################################
## OIDC external system
############################################

# url to decode the oidc code into an access token: https://idp.institution.edu/idp/profile/oidc/token (required)
# grouper.oidcExternalSystem.myOidcConfigId.tokenEndpointUri = 

# url to get the user info from the access token https://idp.pennkey.upenn.edu/idp/profile/oidc/userinfo (required)
# grouper.oidcExternalSystem.myOidcConfigId.userInfoUri = 
 
# client id to authorize url (required)
# grouper.oidcExternalSystem.myOidcConfigId.clientId = 

# secret to ws (required)
# grouper.oidcExternalSystem.myOidcConfigId.clientSecret = 

# if this oidc connector is enabled
# grouper.oidcExternalSystem.myOidcConfigId.enabled =



Grouper would have configurations for OIDC configuration in grouper.properties

# config id of the external system (required)
grouper.oidc.configId.oidcExternalSystemConfigId = 

# needed for retrieving an access token, e.g. https://my.app/someUrlBackFromIdp
grouper.oidc.configId.redirectUri = 

# scope to retrieve from oidc, e.g. openid email profile (required)
grouper.oidc.configId.scope = 

# optional, could be in claim as "subjectSourceId", e.g. myPeople
grouper.oidc.configId.subjectSourceId = 

# subjectId, subjectIdentifier, or subjectIdOrIdentifier (required)
grouper.oidc.configId.subjectIdType = 

# some claim name that has the subjectId / subjectIdentifier / subjectIdOrIdentifier in it.  e.g. employeeId (required)
grouper.oidc.configId.subjectIdClaimName =

Make a web service call

Authorization : Bearer oidc_configId_abc123def456

-or-

Authorization : Bearer oidcWithRedirectUri_configId_lmn432rew987_abc123def456    (lmn432rew987 is base64 redirect uri)

Grouper will decode the OIDC claim from that config id and the Grouper Web Service will authenticate as the user in the token


Developers only

File from git has users

grouper/misc/oidc_container_users.json


Run command for local oidc docker: 

docker run --rm -d -p 9000:9000 --mount type=bind,src=/Users/vsachdeva/Downloads/oidc_users/users.json,dst=/tmp/users.json  -e "REDIRECTS=http://localhost:8080/grouper/grouperUi/app/UiV2Main.oidc" -e "USERS_FILE=/tmp/users.json"  qlik/simple-oidc-provider


Auth URL: http://localhost:9000/auth?response_type=code&scope=openid+email+profile&client_id=foo&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fgrouper%2FgrouperUi%2Fapp%2FUiV2Main.oidc

  • No labels

1 Comment

  1. Chad Redman

    What is "abc123def456"?