From 2077e7424091ab0ac88d7801fa4198196ff03542 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 16:47:38 +0000 Subject: [PATCH 1/8] Initial plan From d1a1f4874ef8c4fcef24acf90e111f913ec59749 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 16:50:46 +0000 Subject: [PATCH 2/8] docs: Add SOCIAL_PROVIDERS authentication module documentation Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/3944cb7f-c90a-4d2d-808d-eb5d83e59389 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com> --- .../appendix-auth-modules.adoc | 33 +++++++++++++ .../asciidoc/integrators-guide/chap-auth.adoc | 46 +++++++++++++++++++ 2 files changed, 79 insertions(+) diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc index f32c400c2..dd5710fdf 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc @@ -291,4 +291,37 @@ a|authentication.json |=== In general, if you add a custom property, the Admin UI writes changes to the `authentication.json` or `ui-configuration.json` files. +[#social-providers-module-details] +=== SOCIAL_PROVIDERS Module Configuration Options + +The `SOCIAL_PROVIDERS` module is a meta-module (template) that dynamically generates `OPENID_CONNECT` and `OAUTH` authentication modules at startup, one for each provider registered in the `IdentityProviderService`. The identity provider configurations themselves (client IDs, client secrets, authorization endpoints, etc.) are defined in `conf/identityProviders.json`, not inside the `SOCIAL_PROVIDERS` module entry. + +[NOTE] +====== +The `SOCIAL_PROVIDERS` entry is removed from the active authentication module list at startup — it is never initialized as an authenticator itself. Each provider entry in `conf/identityProviders.json` results in exactly one generated `OPENID_CONNECT` or `OAUTH` module. +====== + +[#social-providers-module-prop] +.SOCIAL_PROVIDERS Module Properties +[cols="28%,29%,43%"] +|=== +|Authentication Property |Property as Listed in the Admin UI |Description + +a|`enabled` +a|Module Enabled +a|Must be `true` for the meta-module to activate and generate child modules. If `false` or absent, no social provider auth modules are generated. + +a|`augmentSecurityContext` +a|Augment Security Context +a|Script inherited by all generated `OAUTH` and `OPENID_CONNECT` modules. Typically set to `auth/populateAsManagedUserFromRelationship.js`. + +a|`propertyMapping.userRoles` +a|User Roles +a|Attribute used for authorization roles, inherited by all generated modules. Usually set to `authzRoles`. + +a|`defaultUserRoles` +a|Default User Roles +a|List of roles inherited by all generated modules. Usually set to `["openidm-authorized"]`. +|=== + diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc index 80ce42f3b..42554a7a4 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc @@ -480,6 +480,52 @@ Set up logins with OpenAM, to work with the related login session cookie, known IWA:: The IWA module enables users to authenticate by using Integrated Windows Authentication (IWA), rather than by providing a username and password. For information about configuring the IWA module with OpenIDM, see xref:#openidm-auth-kerberos["Configuring IWA Authentication"]. +[#social-providers-module] +SOCIAL_PROVIDERS:: +The `SOCIAL_PROVIDERS` module is a __meta-module__ (template) that bridges the social identity provider configuration in `conf/identityProviders.json` and the OpenIDM authentication filter. It is not an authenticator itself — instead, at startup it scans all providers registered with the `IdentityProviderService`, removes itself from the active module list, and dynamically generates the corresponding `OPENID_CONNECT` or `OAUTH` authentication modules: + ++ +* For each provider of type `OPENID_CONNECT`, an `OPENID_CONNECT` auth module is generated with `openIdConnectHeader: "authToken"`. +* For each provider of type `OAUTH`, an `OAUTH` auth module is generated with `authTokenHeader: "authToken"` and `authResolverHeader: "provider"`. + ++ +The generated modules inherit the `augmentSecurityContext`, `propertyMapping`, and `defaultUserRoles` values from the `SOCIAL_PROVIDERS` template entry. + ++ +Providers are configured separately in `conf/identityProviders.json`, or via the Admin UI under *Configure > Social ID Providers*. The `SOCIAL_PROVIDERS` module acts as a single configuration point so that operators do not need to add individual `OPENID_CONNECT` or `OAUTH` entries to `authentication.json` for every social provider. + ++ +[NOTE] +====== +Any `OPENID_CONNECT` or `OAUTH` modules that are __explicitly__ defined in `authentication.json` are independent of `SOCIAL_PROVIDERS` and will coexist alongside the dynamically generated modules. They are not managed or removed by `SOCIAL_PROVIDERS`. +====== + ++ +A sample `SOCIAL_PROVIDERS` configuration is as follows: ++ +[source, json] +---- +{ + "name" : "SOCIAL_PROVIDERS", + "enabled" : true, + "properties" : { + "augmentSecurityContext": { + "type" : "text/javascript", + "file" : "auth/populateAsManagedUserFromRelationship.js" + }, + "propertyMapping" : { + "userRoles" : "authzRoles" + }, + "defaultUserRoles" : [ + "openidm-authorized" + ] + } +} +---- + ++ +For detailed property options, see xref:appendix-auth-modules.adoc#social-providers-module-details["SOCIAL_PROVIDERS Module Configuration Options"]. + -- From f57dbd4c5e50e1fbba3688ca0fa42320b17586bd Mon Sep 17 00:00:00 2001 From: Valery Kharseko Date: Thu, 26 Mar 2026 20:05:04 +0300 Subject: [PATCH 3/8] Update openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../main/asciidoc/integrators-guide/appendix-auth-modules.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc index dd5710fdf..452e60b29 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc @@ -309,7 +309,7 @@ The `SOCIAL_PROVIDERS` entry is removed from the active authentication module li a|`enabled` a|Module Enabled -a|Must be `true` for the meta-module to activate and generate child modules. If `false` or absent, no social provider auth modules are generated. +a|Controls whether the meta-module activates and generates child modules. If set to `false`, no social provider auth modules are generated. If omitted, it defaults to `true`. a|`augmentSecurityContext` a|Augment Security Context From f671e6d4fc8ffc0cca99d81aae1f436a02d7aa74 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 17:56:12 +0000 Subject: [PATCH 4/8] docs: address review feedback on SOCIAL_PROVIDERS documentation Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/e0d0820c-5ea9-4358-a13c-505e1620cae6 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com> --- .../integrators-guide/appendix-auth-modules.adoc | 14 +++++++++++--- .../main/asciidoc/integrators-guide/chap-auth.adoc | 3 +-- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc index 452e60b29..a38e9f512 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc @@ -311,15 +311,23 @@ a|`enabled` a|Module Enabled a|Controls whether the meta-module activates and generates child modules. If set to `false`, no social provider auth modules are generated. If omitted, it defaults to `true`. -a|`augmentSecurityContext` +|=== + +The following properties are placed under the module's `properties` object in `authentication.json`. + +[cols="28%,29%,43%"] +|=== +|Authentication Property |Property as Listed in the Admin UI |Description + +a|`properties.augmentSecurityContext` a|Augment Security Context a|Script inherited by all generated `OAUTH` and `OPENID_CONNECT` modules. Typically set to `auth/populateAsManagedUserFromRelationship.js`. -a|`propertyMapping.userRoles` +a|`properties.propertyMapping.userRoles` a|User Roles a|Attribute used for authorization roles, inherited by all generated modules. Usually set to `authzRoles`. -a|`defaultUserRoles` +a|`properties.defaultUserRoles` a|Default User Roles a|List of roles inherited by all generated modules. Usually set to `["openidm-authorized"]`. |=== diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc index 42554a7a4..38ef16f7e 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc @@ -480,8 +480,7 @@ Set up logins with OpenAM, to work with the related login session cookie, known IWA:: The IWA module enables users to authenticate by using Integrated Windows Authentication (IWA), rather than by providing a username and password. For information about configuring the IWA module with OpenIDM, see xref:#openidm-auth-kerberos["Configuring IWA Authentication"]. -[#social-providers-module] -SOCIAL_PROVIDERS:: +[[social-providers-module]]SOCIAL_PROVIDERS:: The `SOCIAL_PROVIDERS` module is a __meta-module__ (template) that bridges the social identity provider configuration in `conf/identityProviders.json` and the OpenIDM authentication filter. It is not an authenticator itself — instead, at startup it scans all providers registered with the `IdentityProviderService`, removes itself from the active module list, and dynamically generates the corresponding `OPENID_CONNECT` or `OAUTH` authentication modules: + From 4e069b0f3b59a51ede1256fb0a069ad02ff083b8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Mar 2026 19:14:42 +0000 Subject: [PATCH 5/8] docs: constrain SOCIAL_PROVIDERS generation description to supported provider types Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/dbc5231b-07b7-45f1-acd9-c7a51f169d7e Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com> --- .../asciidoc/integrators-guide/appendix-auth-modules.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc index a38e9f512..b0455d2b4 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc @@ -294,11 +294,11 @@ In general, if you add a custom property, the Admin UI writes changes to the `au [#social-providers-module-details] === SOCIAL_PROVIDERS Module Configuration Options -The `SOCIAL_PROVIDERS` module is a meta-module (template) that dynamically generates `OPENID_CONNECT` and `OAUTH` authentication modules at startup, one for each provider registered in the `IdentityProviderService`. The identity provider configurations themselves (client IDs, client secrets, authorization endpoints, etc.) are defined in `conf/identityProviders.json`, not inside the `SOCIAL_PROVIDERS` module entry. +The `SOCIAL_PROVIDERS` module is a meta-module (template) that dynamically generates `OPENID_CONNECT` and `OAUTH` authentication modules at startup for supported providers registered in the `IdentityProviderService`. The identity provider configurations themselves (client IDs, client secrets, authorization endpoints, etc.) are defined in `conf/identityProviders.json`, not inside the `SOCIAL_PROVIDERS` module entry. [NOTE] ====== -The `SOCIAL_PROVIDERS` entry is removed from the active authentication module list at startup — it is never initialized as an authenticator itself. Each provider entry in `conf/identityProviders.json` results in exactly one generated `OPENID_CONNECT` or `OAUTH` module. +The `SOCIAL_PROVIDERS` entry is removed from the active authentication module list at startup — it is never initialized as an authenticator itself. Each `OPENID_CONNECT` or `OAUTH` provider entry in `conf/identityProviders.json` results in exactly one generated authentication module. ====== [#social-providers-module-prop] From 45d7ad2f5d95e2eedd1eb013bb4fdd91e439c0ba Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 09:09:56 +0000 Subject: [PATCH 6/8] docs: restructure SOCIAL_PROVIDERS tables to 4-column OPENAM_SESSION format Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/0d5f0a99-7121-43ad-a3ff-38f16446f70d Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com> --- .../appendix-auth-modules.adoc | 28 +++++++++++-------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc index b0455d2b4..d3348957c 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc @@ -303,33 +303,39 @@ The `SOCIAL_PROVIDERS` entry is removed from the active authentication module li [#social-providers-module-prop] .SOCIAL_PROVIDERS Module Properties -[cols="28%,29%,43%"] +[cols="18%,27%,27%,28%"] |=== -|Authentication Property |Property as Listed in the Admin UI |Description +|Admin UI Label |Default |Description |Configuration File -a|`enabled` a|Module Enabled -a|Controls whether the meta-module activates and generates child modules. If set to `false`, no social provider auth modules are generated. If omitted, it defaults to `true`. +a|true +a|Controls whether the meta-module activates and generates child modules. If set to `false`, no social provider auth modules are generated. +a|authentication.json |=== The following properties are placed under the module's `properties` object in `authentication.json`. -[cols="28%,29%,43%"] +[#social-providers-module-prop-nested] +.SOCIAL_PROVIDERS Module Properties (under `properties`) +[cols="18%,27%,27%,28%"] |=== -|Authentication Property |Property as Listed in the Admin UI |Description +|Admin UI Label |Default |Description |Configuration File -a|`properties.augmentSecurityContext` a|Augment Security Context +a|(blank) a|Script inherited by all generated `OAUTH` and `OPENID_CONNECT` modules. Typically set to `auth/populateAsManagedUserFromRelationship.js`. +a|authentication.json -a|`properties.propertyMapping.userRoles` a|User Roles -a|Attribute used for authorization roles, inherited by all generated modules. Usually set to `authzRoles`. +a|authzRoles +a|Attribute used for authorization roles, inherited by all generated modules. +a|authentication.json -a|`properties.defaultUserRoles` a|Default User Roles -a|List of roles inherited by all generated modules. Usually set to `["openidm-authorized"]`. +a|openidm-authorized +a|List of roles inherited by all generated modules. +a|authentication.json |=== From 75b0b8a55d920f153dba33c76946c4b2b3889780 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 09:23:10 +0000 Subject: [PATCH 7/8] docs: expand SOCIAL_PROVIDERS tables with all UI fields in 4-column format Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/fcbb0f59-e5ac-4eb5-ba8a-e090fb33cfee Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com> --- .../appendix-auth-modules.adoc | 42 ++++++++++++------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc index d3348957c..c3f5a4929 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc @@ -301,8 +301,8 @@ The `SOCIAL_PROVIDERS` module is a meta-module (template) that dynamically gener The `SOCIAL_PROVIDERS` entry is removed from the active authentication module list at startup — it is never initialized as an authenticator itself. Each `OPENID_CONNECT` or `OAUTH` provider entry in `conf/identityProviders.json` results in exactly one generated authentication module. ====== -[#social-providers-module-prop] -.SOCIAL_PROVIDERS Module Properties +[#social-providers-module-prop-basic] +.SOCIAL_PROVIDERS Module Basic Properties [cols="18%,27%,27%,28%"] |=== |Admin UI Label |Default |Description |Configuration File @@ -312,30 +312,44 @@ a|true a|Controls whether the meta-module activates and generates child modules. If set to `false`, no social provider auth modules are generated. a|authentication.json -|=== +a|Default User Roles +a|openidm-authorized +a|List of roles inherited by all generated `OAUTH` and `OPENID_CONNECT` modules. +a|authentication.json + +a|Method for Determining Roles +a|User Roles Property +a|How authorization roles are resolved. When set to `User Roles Property`, the value of the User Roles Property field is used as the attribute name on the managed object. +a|authentication.json + +a|User Roles Property +a|authzRoles +a|The managed-object attribute used for authorization roles. Applies when Method for Determining Roles is set to `User Roles Property`. +a|authentication.json -The following properties are placed under the module's `properties` object in `authentication.json`. +|=== -[#social-providers-module-prop-nested] -.SOCIAL_PROVIDERS Module Properties (under `properties`) +[#social-providers-module-prop-advanced] +.SOCIAL_PROVIDERS Module Advanced Properties [cols="18%,27%,27%,28%"] |=== |Admin UI Label |Default |Description |Configuration File -a|Augment Security Context +a|Use Query ID a|(blank) -a|Script inherited by all generated `OAUTH` and `OPENID_CONNECT` modules. Typically set to `auth/populateAsManagedUserFromRelationship.js`. +a|A defined `queryId` searches against the `queryOnResource` endpoint. Leave blank to use `action=reauthenticate`. a|authentication.json -a|User Roles -a|authzRoles -a|Attribute used for authorization roles, inherited by all generated modules. +a|Augment Security Context — Type +a|Javascript +a|Script language for the augment security context script. Supports `Javascript` or `Groovy`. a|authentication.json -a|Default User Roles -a|openidm-authorized -a|List of roles inherited by all generated modules. +a|Augment Security Context — File Path +a|auth/populateAsManagedUserFromRelationship.js +a|Path to the security context script, relative to the `bin/defaults/script` directory. This script is inherited by all generated `OAUTH` and `OPENID_CONNECT` modules. a|authentication.json + |=== From c1a2134a9983a637bee765b9182828654a1ba697 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 12:32:17 +0000 Subject: [PATCH 8/8] docs: update copyright year to 2026 for 3A Systems LLC Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/a70565dd-dbc0-4751-8cf9-13f2579bcdc5 Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com> --- .../main/asciidoc/integrators-guide/appendix-auth-modules.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc index c3f5a4929..800506f33 100644 --- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc +++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc @@ -12,7 +12,7 @@ information: "Portions copyright [year] [name of copyright owner]". Copyright 2017 ForgeRock AS. - Portions Copyright 2024-2025 3A Systems LLC. + Portions Copyright 2024-2026 3A Systems LLC. //// :figure-caption!: