diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc index f32c400c2..800506f33 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc @@ -12,7 +12,7 @@ information: "Portions copyright [year] [name of copyright owner]". Copyright 2017 ForgeRock AS. - Portions Copyright 2024-2025 3A Systems LLC. + Portions Copyright 2024-2026 3A Systems LLC. //// :figure-caption!: @@ -291,4 +291,65 @@ a|authentication.json |=== In general, if you add a custom property, the Admin UI writes changes to the `authentication.json` or `ui-configuration.json` files. +[#social-providers-module-details] +=== SOCIAL_PROVIDERS Module Configuration Options + +The `SOCIAL_PROVIDERS` module is a meta-module (template) that dynamically generates `OPENID_CONNECT` and `OAUTH` authentication modules at startup for supported providers registered in the `IdentityProviderService`. The identity provider configurations themselves (client IDs, client secrets, authorization endpoints, etc.) are defined in `conf/identityProviders.json`, not inside the `SOCIAL_PROVIDERS` module entry. + +[NOTE] +====== +The `SOCIAL_PROVIDERS` entry is removed from the active authentication module list at startup — it is never initialized as an authenticator itself. Each `OPENID_CONNECT` or `OAUTH` provider entry in `conf/identityProviders.json` results in exactly one generated authentication module. +====== + +[#social-providers-module-prop-basic] +.SOCIAL_PROVIDERS Module Basic Properties +[cols="18%,27%,27%,28%"] +|=== +|Admin UI Label |Default |Description |Configuration File + +a|Module Enabled +a|true +a|Controls whether the meta-module activates and generates child modules. If set to `false`, no social provider auth modules are generated. +a|authentication.json + +a|Default User Roles +a|openidm-authorized +a|List of roles inherited by all generated `OAUTH` and `OPENID_CONNECT` modules. +a|authentication.json + +a|Method for Determining Roles +a|User Roles Property +a|How authorization roles are resolved. When set to `User Roles Property`, the value of the User Roles Property field is used as the attribute name on the managed object. +a|authentication.json + +a|User Roles Property +a|authzRoles +a|The managed-object attribute used for authorization roles. Applies when Method for Determining Roles is set to `User Roles Property`. +a|authentication.json + +|=== + +[#social-providers-module-prop-advanced] +.SOCIAL_PROVIDERS Module Advanced Properties +[cols="18%,27%,27%,28%"] +|=== +|Admin UI Label |Default |Description |Configuration File + +a|Use Query ID +a|(blank) +a|A defined `queryId` searches against the `queryOnResource` endpoint. Leave blank to use `action=reauthenticate`. +a|authentication.json + +a|Augment Security Context — Type +a|Javascript +a|Script language for the augment security context script. Supports `Javascript` or `Groovy`. +a|authentication.json + +a|Augment Security Context — File Path +a|auth/populateAsManagedUserFromRelationship.js +a|Path to the security context script, relative to the `bin/defaults/script` directory. This script is inherited by all generated `OAUTH` and `OPENID_CONNECT` modules. +a|authentication.json + +|=== + diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc index 80ce42f3b..38ef16f7e 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc @@ -480,6 +480,51 @@ Set up logins with OpenAM, to work with the related login session cookie, known IWA:: The IWA module enables users to authenticate by using Integrated Windows Authentication (IWA), rather than by providing a username and password. For information about configuring the IWA module with OpenIDM, see xref:#openidm-auth-kerberos["Configuring IWA Authentication"]. +[[social-providers-module]]SOCIAL_PROVIDERS:: +The `SOCIAL_PROVIDERS` module is a __meta-module__ (template) that bridges the social identity provider configuration in `conf/identityProviders.json` and the OpenIDM authentication filter. It is not an authenticator itself — instead, at startup it scans all providers registered with the `IdentityProviderService`, removes itself from the active module list, and dynamically generates the corresponding `OPENID_CONNECT` or `OAUTH` authentication modules: + ++ +* For each provider of type `OPENID_CONNECT`, an `OPENID_CONNECT` auth module is generated with `openIdConnectHeader: "authToken"`. +* For each provider of type `OAUTH`, an `OAUTH` auth module is generated with `authTokenHeader: "authToken"` and `authResolverHeader: "provider"`. + ++ +The generated modules inherit the `augmentSecurityContext`, `propertyMapping`, and `defaultUserRoles` values from the `SOCIAL_PROVIDERS` template entry. + ++ +Providers are configured separately in `conf/identityProviders.json`, or via the Admin UI under *Configure > Social ID Providers*. The `SOCIAL_PROVIDERS` module acts as a single configuration point so that operators do not need to add individual `OPENID_CONNECT` or `OAUTH` entries to `authentication.json` for every social provider. + ++ +[NOTE] +====== +Any `OPENID_CONNECT` or `OAUTH` modules that are __explicitly__ defined in `authentication.json` are independent of `SOCIAL_PROVIDERS` and will coexist alongside the dynamically generated modules. They are not managed or removed by `SOCIAL_PROVIDERS`. +====== + ++ +A sample `SOCIAL_PROVIDERS` configuration is as follows: ++ +[source, json] +---- +{ + "name" : "SOCIAL_PROVIDERS", + "enabled" : true, + "properties" : { + "augmentSecurityContext": { + "type" : "text/javascript", + "file" : "auth/populateAsManagedUserFromRelationship.js" + }, + "propertyMapping" : { + "userRoles" : "authzRoles" + }, + "defaultUserRoles" : [ + "openidm-authorized" + ] + } +} +---- + ++ +For detailed property options, see xref:appendix-auth-modules.adoc#social-providers-module-details["SOCIAL_PROVIDERS Module Configuration Options"]. + --