| Table of Contents | ||
|---|---|---|
|
Introduction
All major changes with introducing new SSO system are listed here.
The OAuth 2.0 authorization framework enables a third-party application (the client) to obtain limited access to an HTTP service on behalf of a resource owner (the end user). For instance, a tool for generating advanced meta analysis graphs (the client) could obtain access to read and possibly modify a review author's (the end user's) reviews in Archie.
...
OAuth 2.0 is the framework to build authentication protocols, actual protocol used in Cochrane project is OpenID Connect (OIDC), which is implemented in Keycloak. For more information on OIDC implementation in Keycloak please go to: https://www.keycloak.org/docs/39.30/server_admin/topics/sso-protocols/oidc.htmlindex.html#_oidc.
OIDC itself uses JSON Web Token (JWT) standards to define identity token format and ways to digitally sign and encryt data. More information about JWT can be found at: https://tools.ietf.org/html/rfc7519.
...
At the authorization endpoint the end user will have to log into Cochrane Account if he or she is not logged in already. After the authentication, provided that the scope of the request is different from "none", the end user may be presented with a consent screen where he or she has to agree to give the client access to resources in Archie within the given scope before the flow may continue. Note: the consent screen is not shown for clients hosted on *.cochrane.org domains.
Once the authentication and possible consent is in order, i.e. the end user has authorized the client to access his or her data, the browser is redirected back to the redirect URI (using a HTTP 302 status code) with the following query parameters added:
...