Is your feature request related to a problem? Please describe.
At the moment there are working examples of OIDC sign in on EMX2 servers via a keycloakserver. When trying to setup OIDC on an EMX2 server directly to LS AAI it doesn't work.
After contact with LS AAI helpdesk (Dominik Bucik) and adjusting some settings in the service, it still doesn't work.
According to Dominik the following might be (part of) a solution:
However, digging in the code for the library it seems that there is a bug in my opinion in the library itself. In short - it parses available singing algorithms from our metadata, but then does not respect any order of these (which might cause to validate the "least" secure option before any other. Anyway - a hotfix for this would be, if you could try to configure EMX2 with a preferred signing algorithm of RS256. I would guess it should be some option like "preferredJwsAlgorithm" in the configuration of AAI integration.
and subsequently:
or perhaps if you can find a way how to configure something like "response type" to "code" only, that would be great.
Describe the solution you'd like
OIDC sign in on a BBMRI server with a direct link to LS AAI.
Describe alternatives you've considered
Install OIDC using key cloak server => not an option for BBMRI
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe. At the moment there are working examples of OIDC sign in on EMX2 servers via a keycloakserver. When trying to setup OIDC on an EMX2 server directly to LS AAI it doesn't work. After contact with LS AAI helpdesk (Dominik Bucik) and adjusting some settings in the service, it still doesn't work.
According to Dominik the following might be (part of) a solution: However, digging in the code for the library it seems that there is a bug in my opinion in the library itself. In short - it parses available singing algorithms from our metadata, but then does not respect any order of these (which might cause to validate the "least" secure option before any other. Anyway - a hotfix for this would be, if you could try to configure EMX2 with a preferred signing algorithm of RS256. I would guess it should be some option like "preferredJwsAlgorithm" in the configuration of AAI integration.
and subsequently: or perhaps if you can find a way how to configure something like "response type" to "code" only, that would be great.
Describe the solution you'd like OIDC sign in on a BBMRI server with a direct link to LS AAI.
Describe alternatives you've considered
Additional context Add any other context or screenshots about the feature request here.