OpenID Connect Auth Module
OpenID Connect authentication module lets Space users log in to Space with the credentials that are stored in a specified third-party authentication service provider that supports OpenID Connect protocol. Such providers include (but not limited to):
The OpenID Connect module provides a quick and convenient way to set up third-party authentication with any of these services. It supports auto-discovery and will auto-fill most of the settings (endpoint fields) for you when you specify a discovery document URL from the identity provider.
When you confugure and enable the OpenID Connect module in Space:
Space users will be able to log in to Space with their account credentials from a specified third-party identity provider, such as GitLab or Microsoft.
Space users will have fewer accounts and passwords to remember.
New users with accounts in the connected service will be able create their own accounts in Space.
To enable OpenID Connect authentication, configuration is required on both sides: the identity provider and Space. The actual setup procedure depends on the identity provider you're going to use, but usually involves the following general steps:
Get a discovery document URL from your identity provider. It should point to a file with configuration metadata named
.well-known/openid-configuration
.To obtain the URL, refer to your identity provider's documentation, or look it up in our list of popular providers.
In Space, start creating a new OpenID Connect auth module: go to Administration → Auth Modules → New Auth Module.
Specify the discovery document URL. The endpoint fields will be populated automatically.
On the identity provider side, set up an OpenID Connect service (application) using the redirect URI from the OpenID Connect module form in Space.
A Client Secret and Client ID should be generated for authorizing your application.
In Space, specify the Client Secret and Client ID generated by the identity provider.
Save the settings and activate the newly created authentication module.
There are many OpenID Connect services you can use. In this example we'll configure GitLab to work with Space as an identity provider. This instruction assumes that you have an account with GitLab.
On the Space main menu, click
Administration and choose Auth Modules.
Click New auth module. The New Auth Module dialog opens.
From the Type drop-down list, select OpenID Connect.
Click the link Discover OpenID Connect settings…:
Copy the GitLab discovery document URL
and paste it into the field then click Discover:https://gitlab.com/.well-known/openid-configuration
The form fields will be auto-filled with the metadata retrieved from the discovery file.
In a new browser tab or window, sign in to your GitLab account.
Navigate to User Settings → Applications → New Application.
Give your application a meaningfull name (e.g. Space Authentication) and provide the Redirect URI that you have obtained from Space.
Scroll down the form and select the following checkboxes:
openid
profile
email
Leave the rest of the settings as is and click Save Application.
A page with your application ID and secret will be displayed:
You can optionally enable the following settings:
User registration
On — Accounts in the Space organization will be created automatically for unregistered users who log in using Google authentication module.
Off — Google logins will be only available to users who already have an account in the Space organization.
Restrict authentication to users with email addresses from the specified domains
When enabled, only the users with email addresses from the domain(s) you specified will be able to log in.
Specify one or more allowed domains, e.g.
@gmail.com
or@mycompany.com
.
To save your settings and complete the setup, click Create.
To enable the module turn its status to Active (on top of the form).
Thanks for your feedback!