Adding OAuth provider

[yjarosz]

Hello,

I am trying to add login/logout functionality through keycloak (Oauth provider). This one in particular. I have followed the steps in the wiki and have some issues with the step 5 and 6.

5) Is this step really needed? If it does not work without, i do not see any identifier_schemes key where I could add my provider

6) The column used_for_login does not exists on the database.

INSERT INTO identifier_schemes (name, description, used_for_login, active) 
VALUES ('orcid', '', false, true);

thanks

Please complete the following fields as applicable:

What version of the DMPRoadmap code are you running? (e.g. v2.2.0) master

Expected behaviour: I would like to be able to link people to that provider or better, allow them to log in directly with it and be able to logout.

Actual behaviour:

• The login methods does not change. Nothing appears on the profile page
• Logout ends up with The page you were looking for doesn't exist.

Steps to reproduce: Fresh install?

[briri]

hi @yjarosz, ouur apologies, the documentation on that wiki page was a bit out of date. I have just updated it with information relevant to the latest iteration of that identifier_schemes table. https://github.com/DMPRoadmap/roadmap/wiki/OAuth-Providers

All of the systems we are aware of use a combination of Shibboleth and username+password for authentication. When the code for the omniauth_callbacks_controller.rb was first written it was designed to be generic so that people could plug in omniauth providers like ORCID, Google or KeyCloak. That was several years ago though so please be aware that you may encounter some issues with the handling of the response. Here are the scenarios that it should produce (if using it as a login option)

• Completely new user - User successfully logs in via key cloak. The system presents them with an interim login page asking them to fill in details like Name, email, their Org, etc. (it should try to auto-populate anything passed over from KeyCloak)
• Existing user but first time logging in via KeyCloak - User successfully logs in via key cloak. If the email returned by KeyCloak matches one in the users table then the user is automatically logged in. Otherwise the user is presented with the interim screen mentioned above (but with an option to login via their email+password to 'link' the accounts
• Existing user who's account is already linked to KeyCloak - User successfully logs in via key cloak. If the identifier returned by KeyCloak matches one in the identifiers table for the KeyCloak identifier scheme, then the user is automatically logged in. Otherwise they are presented with the intermin login page mentioned above

Please let us know if you run into issues. Also, please consider sending a PR to add the key cloak login option so that others in the DMPRoadmap community can benefit from your work 👍🏻

[yjarosz]

I see. Thank you for updating the docs 😉

I guess I will go with ORCID right now as it seems more straightforward. I need more time to try out the keycloak (openid) version.

[briri]

I think we should revisit the OAuth logic in the controllers, config, views and identifiers model/table. It was originally developed to be somewhat generic to make it easy to plug in different OAuth providers. The code though has drifted away from this. It should take too much effort to reevaluate and bring back to that point