OIDC
Recent versions of CAS services and ALA modules with java 11 use the ala-auth-plugin that permits to authenticate users via OIDC instead of legacy CAS.
To migrate from cas to oidc authentication you should have something like in your module configurations:
security:
cas:
enabled: false
oidc:
enabled: true
You also need to configure the OIDC provider in those applications:
security:
oidc:
discovery-uri: 'https://auth.your-l-a.site/cas/oidc/.well-known'
client-id: 'ChangeMe'
secret: 'ChangeMe'
scope: 'openid profile email ala roles'
Recent versions of ala-install (>= 2.1.14), generates in CAS that client/secret key for you and configure them in each ALA module. See this PR for more details.
But if you want to do this manually for some reason, here the steps to do it.
- Go to
OAuth Servicessection incas-management:
- Press the (+) icon and
Create OIDC:
- Fill the
Basicsection. Pay attention that the wildcards and url match your service url:
-
Client sectionshould have someClient IDandClient Secretautogenerated for you (you can copy them to use later). Verify the checkboxes:
- Fill the OIDC section:
- Fill the
Scopessection like this:
- And press the Save icon. That is. Now just copy the
Client IDandClient Secretin your LA module configuration as we mentioned at the beginning of this page to use it.