docs: Add OAUTH authentication module documentation#136
docs: Add OAUTH authentication module documentation#136
Conversation
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/a19d1778-aeb6-4397-92cc-be7994b0b059 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds missing integrator documentation for the existing OAUTH authentication module, including an overview in the authentication chapter and a configuration-options appendix section.
Changes:
- Adds a new
OAUTH::entry to the “Supported Authentication Modules” list, including behavior notes and a sample configuration. - Adds a new appendix section documenting
OAUTHmodule-level and resolver-level configuration properties. - Cross-links the chapter entry and the appendix section for discoverability.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc |
Introduces the OAUTH module in the supported-modules list and provides a sample configuration + appendix xref. |
openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc |
Adds an OAUTH configuration reference section with module/resolver property tables and cross-reference back to the chapter. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
Outdated
Show resolved
Hide resolved
In this section, the bullets read as if the literal HTTP header names are authTokenHeader and authResolverHeader, but those are configuration property keys. The actual request header names are whatever values you configure for those properties (for example, authToken and provider in the sample). Please reword to avoid readers sending the wrong header names. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/df28ebe1-6881-42be-b79b-77ab0f6b12de Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/667da02d-128a-4a9a-b9e6-043cd4d9a26a Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "name" : "myProvider", | ||
| "type" : "OAUTH", | ||
| "icon" : "<button class=\"btn btn-lg btn-default btn-block btn-social-provider\"><img src=\"images/provider.png\">Sign in with Provider</button>", | ||
| "scope" : ["profile", "email"], | ||
| "authenticationId" : "sub", | ||
| "propertyMap" : [ | ||
| { | ||
| "source" : "sub", | ||
| "target" : "userName" | ||
| } | ||
| ], |
There was a problem hiding this comment.
The sample mixes two different “identity” fields without explaining how they relate: resolver authenticationId/propertyMap.source uses sub, but propertyMapping.authenticationId is set to _id while the mapped managed attribute target is userName. This makes it unclear which managed attribute is intended to be the effective authentication identifier. Consider aligning the example (e.g., set propertyMapping.authenticationId to userName if that’s the mapped identifier) and/or adding a short note explaining the distinction between resolver authenticationId (userinfo response field) and propertyMapping.authenticationId (managed object field).
There was a problem hiding this comment.
Done in 80818d2 — propertyMapping.authenticationId is already "userName" (consistent with the propertyMap target userName), and added a note after the sample explaining that authenticationId means different things at the two levels: inside resolvers[] it refers to the provider's userinfo response field (e.g., sub), while at propertyMapping level it refers to the managed object attribute used as the authentication identifier (e.g., userName).
| a|`propertyMapping.authenticationId` | ||
| a|Authentication ID | ||
| a|Attribute in the managed object used as the user identifier. |
There was a problem hiding this comment.
The appendix defines two different fields named “authenticationId” at different levels, but doesn’t explicitly state that they refer to different sources (managed object attribute vs. userinfo response attribute). Adding a brief clarification (or renaming the description wording to explicitly call out “managed object attribute” vs “provider userinfo attribute”) would prevent misconfiguration—especially since both are labeled “user identifier.”
There was a problem hiding this comment.
Done in 67d1349 — updated the propertyMapping.authenticationId description in the module-level table to explicitly state it is the managed object attribute (e.g., userName) used when querying queryOnResource, and that it is distinct from the resolver-level authenticationId which names the field in the provider's userinfo endpoint response.
openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
Outdated
Show resolved
Hide resolved
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…modules.adoc Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/020b25db-106b-4ed4-8c2e-8c7809073fcd Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
…able Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/689cd003-ea32-4297-8f02-59e8c1f43803 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| a|Provider's userinfo endpoint URL. The access token is validated by calling this endpoint. | ||
|
|
||
| a|`scope` | ||
| a|List of OAuth 2.0 scopes to request (for example, `["openid", "profile", "email"]`). |
There was a problem hiding this comment.
The example scope includes openid, which is typically associated with OpenID Connect. Since this section explicitly distinguishes OAUTH from OPENID_CONNECT, consider using a non-OIDC example (for example, ["profile", "email"]) to avoid confusing readers.
| a|List of OAuth 2.0 scopes to request (for example, `["openid", "profile", "email"]`). | |
| a|List of OAuth 2.0 scopes to request (for example, `["profile", "email"]`). |
| } | ||
| ---- | ||
| + | ||
| Note that `authenticationId` appears at two different levels with different meanings: inside each `resolvers[]` entry it names the field in the provider's userinfo response that identifies the user (for example, `sub`); at the `propertyMapping` level it names the attribute in the managed object (for example, `userName`) that OpenIDM uses as the authentication identifier after the userinfo fields have been mapped via `propertyMap`. |
There was a problem hiding this comment.
This note explains the distinction well, but it doesn’t explicitly state the required relationship between these fields. Consider adding a short, explicit constraint (for example: the resolver-level authenticationId userinfo field should be included in propertyMap and mapped into the managed-object attribute referenced by propertyMapping.authenticationId) so readers don’t end up with a configuration that can’t correlate the user to queryOnResource.
| Note that `authenticationId` appears at two different levels with different meanings: inside each `resolvers[]` entry it names the field in the provider's userinfo response that identifies the user (for example, `sub`); at the `propertyMapping` level it names the attribute in the managed object (for example, `userName`) that OpenIDM uses as the authentication identifier after the userinfo fields have been mapped via `propertyMap`. | |
| Note that `authenticationId` appears at two different levels with different meanings: inside each `resolvers[]` entry it names the field in the provider's userinfo response that identifies the user (for example, `sub`); at the `propertyMapping` level it names the attribute in the managed object (for example, `userName`) that OpenIDM uses as the authentication identifier after the userinfo fields have been mapped via `propertyMap`. The resolver-level `authenticationId` userinfo field must therefore be included in `propertyMap` and mapped into the managed-object attribute referenced by `propertyMapping.authenticationId`, so that OpenIDM can correlate the resolved user to the `queryOnResource` entry. |
|
@copilot apply changes based on the comments in this thread |
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/64a8adc3-88d4-4b3f-8957-d2933146bd21 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Done in bab62db:
|
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/c44165d3-6a21-4506-a259-1433cc944981 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
… format Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/d1a2ac56-e34a-49ab-93f9-fb11f7851b0e Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/fd6d62d4-0085-478c-b73b-c0e4e2edc40c Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Portions Copyright 2024-2026 3A Systems LLC.Original prompt
Task
Add documentation for the
OAUTHauthentication module to the integrators guide. This module is fully implemented in the codebase but is completely absent from the current documentation (chap-auth.adocandappendix-auth-modules.adoc).Background
The
OAUTHmodule is implemented in:openidm-authnfilter/src/main/java/org/forgerock/openidm/auth/modules/oauth/OAuthModule.java— core module implementationopenidm-authnfilter/src/main/java/org/forgerock/openidm/auth/AuthenticationService.java— generated dynamically fromSOCIAL_PROVIDERStemplate or configured explicitlyopenidm-ui/openidm-ui-admin/src/main/js/org/forgerock/openidm/ui/admin/authentication/modules/OAUTH.js— Admin UI viewopenidm-ui/openidm-ui-admin/src/main/resources/templates/admin/authentication/modules/OAUTH.html— Admin UI templateopenidm-authnfilter/src/test/resources/config/amendedAuthentication.jsontranslation.json) describe it as:"Generic OAuth 2.0 access_token validation"How it works (from code analysis)
The
OAUTHmodule authenticates users via a generic OAuth 2.0 provider. UnlikeOPENID_CONNECT, it does NOT use JWT identity tokens — it validates an OAuth 2.0access_tokenby calling the provider'suserinfo_endpoint. It uses two HTTP headers: one for the token itself, and one to identify which configured resolver (provider) should validate the token. This allows a single module instance to support multiple OAuth providers simultaneously.Key implementation details from
OAuthModule.java:authTokenHeader— HTTP header carrying the OAuth access token (required, throwsAuthenticationExceptionif missing)authResolverHeader— HTTP header identifying the provider name to use for validation (required)resolvers— list of OAuth provider configurations; service validates token against the named resolverKey properties extracted from code and templates:
authTokenHeader— HTTP header name for the OAuth token (e.g.,authToken)authResolverHeader— HTTP header name for the provider selector (e.g.,provider)queryOnResource— managed object resource to query after token validation (e.g.,managed/google)resolvers— array of provider configurations, each with:name— unique resolver name (must match value sent inauthResolverHeader)type— alwaysOAUTHclient_id/client_secretauthorization_endpointtoken_endpointuserinfo_endpointscope— list of OAuth scopesauthenticationId— attribute from userinfo response used as user ID (e.g.,_id,sub)propertyMap— array of{source, target}mappings from provider attributes to managed object attributesicon— HTML for the social login buttonenabled— whether this resolver is activepropertyMapping.authenticationId— maps the provider identity attribute to OpenIDM identitypropertyMapping.userRoles— maps to OpenIDM roles (usuallyauthzRoles)defaultUserRoles— roles assigned on successful authenticationaugmentSecurityContext— optional script to run post-authenticationExample configuration (from
amendedAuthentication.json):{ "name" : "OAUTH", "enabled" : true, "properties" : { "augmentSecurityContext": { "type" : "text/javascript", "file" : "auth/populateAsManagedUserFromRelationship.js" }, "propertyMapping" : { "userRoles" : "authzRoles", "authenticationId" : "_id" }, "defaultUserRoles" : [ "openidm-authorized" ], "resolvers" : [ { "name" : "oauth", "type" : "OAUTH", "icon" : "<button class=\"btn btn-lg btn-default btn-block btn-social-provider\"><img src=\"images/provider.png\">Sign in with Provider</button>", "scope" : ["foo", "bar"], "authenticationId" : "_id", "propertyMap" : [ { "source" : "source", "target" : "target" } ], "enabled" : true, "client_id" : "your-client-id", "client_secret" : "your-client-secret", "authorization_endpoint" : "https://provider.example.com/oauth2/authorize", "token_endpoint" : "https://provider.example.com/oauth2/access_token", "userinfo_endpoint" : "https://provider.example.com/oauth2/userinfo" } ], "queryOnResource" : "managed/oauth", "authTokenHeader" : "authToken", "authResolverHeader" : "provider" } }Key Difference from OPENID_CONNECT
The
OAUTHmodule validates a plain OAuth 2.0access_token(not a JWT/ID token). It requires two request headers: one with the token, and one naming the provider resolver. This allows mul...This pull request was created from Copilot chat.
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.