I’m currently setting up SSO for an OJS installation using an OpenID Connect (OIDC) Identity Provider.
At the moment I have a proof of concept working, but this is implemented by manually editing the LoginHandler class rather than by implementing an ImplicitAuthPlugin.
I’m thinking about writing this as an ImplicitAuthPlugin that can be shared back to the OJS community but there are a couple of small issues:
- There is a bit of code in the
PKPLoginHandler::implicitAuthLoginmethod that is Shibboleth-specific and cannot be overriden via a plugin. Namely, the format of the redirect URL that sends the user to the login screen of the Identity Provider is hardcoded. I propose adding an extra hook e.g. calledImplicitAuthPlugin::implicitAuthRedirectthat allows an ImplicitAuthPlugin to perform the redirect itself (or do nothing, in which the current behaviour continues - so this is backward compatible.) - Currently the
implicit_authsetting in the config file is a boolean on/off option. Using an non-Shibboleth implicit auth plugin requires disabling the existing Shibboleth plugin by manually editing the code. It would be nicer if there was some way to select between plugins - perhaps theimplicit_authsetting could be a string setting instead, with values like ‘shibboleth’, ‘oidc’, ‘cas’? Plugins would only register for hooks if theimplicit_authsetting matched a particular value (not sure about backward compatibility here)
(Disclaimer: I’ve only been working with OJS for a few days)
Some questions:
- Is anyone interested in this plugin?
- Any objections to adding the extra hook for generating the redirect to an Identity Provider?
- What about changing the
implicit_authconfig setting from a boolean to a string?