Authorize an authenticated OpenID Connect user
Authorize whether a user already authenticated by OpenID Connect SSO can access a Genero application.
Before you begin, you must have an account with an OpenID Connect provider (such as Google) that will provide authentication services for you before you can configure GAS for OpenID Connect Single Sign On.
You may need to restricted access to certain applications or to certain specific email addresses; otherwise any user authenticated by an OpenID Connect provider can access your Genero Web application. It is therefore recommended that you add an authorization program to filter access to your applications.
The external program must be deployed beside the OpenIDConnectServer.42r program, because it will be executed by that service program. This is by default under $FGLDIR/web_utilities/services/openid-connect/bin.
access-program oidc-userid app-xcf-path [
attribute value [...]
]
- oidc-userid: the first argument is the OpenID Connect identifier (typically an opaque value returned by the IdP)
- app-xcf-path: the second argument is the application path.
- The next arguments are optional and define OpenID attributes/value pairs.
fglrun AccessProgram
"101516043183449889392" \
"qa-test/application" \
"fullname" "genero test" \
"email" "genero@4js.com" \
"country" "France"
The external authorization program is specified in the application configuration element by
adding an AUTHORIZATION
element in the DELEGATE
element.
The authorization program will be called before access to the Web application is granted. If the authorization program exits with an error code of zero (0), then access is granted for the user. Any exit code other than zero indicates access for the user is denied. In the latter case, the end user will be warned with an error page in the web browser, generated by the OpenID Connect service.