Open ID Connect authentication implementation

config/vufind/OpenIDConnectClient.ini

@@ -0,0 +1,22 @@
+; Open ID Connect authentication settings; see the [Authentication] section of config.ini to enable.
+[Default]
+url = "https://openidconnect.provider.url"
+client_id = "your_client_id"
+client_secret = "your_client_secret"
+; Optional settings of username prefix to ensure unique usernames in case of multiple authentication methods
+username_prefix = ""
+
+; Attributes mapping in case of IdP using some non-standard/additional attributes
+;attributes[firstname] = given_name
+;attributes[lastname] = family_name
+;attributes[email] = email
+
+; Provider related settings, some can support automatic discovery using url/.well_known endpoint, if it is not case of
+; your OpenID provider, you can set needed configuration manually below
+;authorization_endpoint = "https://openidconnect.provider.url/oauth/authorize"
+;token_endpoint = "https://openidconnect.provider.url/oauth/token"
+; Please note, that VuFind supports only client_secret_basic authentication method
+;token_endpoint_auth_methods_supported[] = "client_secret_basic"
+;userinfo_endpoint = "https://openidconnect.provider.url/oauth/userinfo"
+;issuer = "https://openidconnect.provider.url"
+;jwks_uri = "https://openidconnect.provider.url/oauth/jwks"

config/vufind/config.ini

@@ -480,11 +480,22 @@ force_first_scheduled_email = false
 ;scheduled_search_frequencies[7] = schedule_weekly
 
 ; This section allows you to determine how the users will authenticate.
-; You can use an LDAP directory, the local ILS (or multiple ILSes through
-; the MultiILS option), the VuFind database (Database), a hard-coded list of
-; access passwords (PasswordAccess), AlmaDatabase (combination
-; of VuFind database and Alma account), Shibboleth, SIP2, CAS, Facebook, Email or
-; some combination of these (via the MultiAuth or ChoiceAuth options).
+[Authentication]
+; You can authenticate using one or more of the following methods:
+; - AlmaDatabase (combination of VuFind database and Alma account; see also Alma.ini)
+; - CAS (see also [CAS] section)
+; - Database: VuFind's internal user database
+; - Email (see notes below)
+; - Facebook (see also [Facebook] section)
+; - ILS: the local ILS
+; - LDAP: an LDAP directory (see also [LDAP] section)
+; - MultiILS: multiple ILSes (see also MultiBackend.ini)
+; - OpenIDConnect: Open ID Connect (see also OpenIDConnectClient.ini)
+; - PasswordAccess: a hard-coded list of access passwords (see also [PasswordAccess] section)
+; - Shibboleth (see also [Shibboleth] section)
+; - SimulatedSSO: simulated single sign-on for testing/development (see SimulatedSSO.ini)
+; - SIP2 (see also [SIP2] section)
+; - some combination of the above (via the MultiAuth or ChoiceAuth options).
 ;
 ; The Email method is special; it is intended to be used through ChoiceAuth in
 ; combination with Database authentication (or any other method that reliably stores
@@ -497,21 +508,7 @@ force_first_scheduled_email = false
 ; Also note that the Email method stores hashes in your database's auth_hash table.
 ; You should run the "php $VUFIND_HOME/public/index.php util expire_auth_hashes"
 ; utility periodically to clean out old data in this table.
-[Authentication]
-;method          = LDAP
-;method         = ILS
-method         = Database
-;method         = AlmaDatabase
-;method         = Shibboleth
-;method         = SIP2
-;method         = CAS
-;method         = MultiAuth
-;method         = ChoiceAuth
-;method         = MultiILS
-;method         = Facebook
-;method         = PasswordAccess
-;method         = Email
-;method         = SimulatedSSO ; FOR TESTING ONLY -- see SimulatedSSO.ini
+method = Database
 
 ; This setting only applies when method is set to ILS.  It determines which
 ; field of the ILS driver's patronLogin() return array is used as the username