OpenID Connect Authentication

[mickmis]

Hi,

At The Hyve (https://thehyve.nl/) we implemented the support of an OpenID Connect authentication in i2b2, which in our case is meant to be used by Glowing Bear (https://glowingbear.app/) and PIC-SURE (http://bd2k-picsure.hms.harvard.edu/). We tested the implementation with Keycloak as the OIDC server.

When users are configured to be authenticated this way, they can not login anymore with the existing clients. This is due to the fact that in the XML requests, the field containing the password is used to pass the (RS256-signed only) token obtained through OIDC by the client.

We figured out you might want to mainline this additional authentication possibility, which does not introduce incompatibilities with the others.

Best regards,
Mickaël Misbach

---

Some information and how-to about the changes:

• The users must already exist in the i2b2 PM database, either existing users should be converted to be authenticated with OIDC, or created for this purpose.

• Converting a user to be authenticated with OIDC requires to add several i2b2 parameters. This follows the usual i2b2 parameters pattern: they can be added at the user level, cell level, or project level. This also means that users authenticated with the original i2b2 process can coexist with users authenticated by OIDC. The only restriction is that the client must also support OIDC (which means that it cannot be used with the i2b2 webclient or workbench).

• The parameters to add are the following:

  • name: "authentication_method", value: "OIDC": flag that indicates that the user(s) must be authenticated with OIDC.
  • name: "oidc_jwks_uri", value: the URL of the OIDC server (including the path at which the public keys should be fetched). Example: "http://oidc-server:8080/auth/realms/master/protocol/openid-connect/certs"
  • name: "oidc_client_id", value: the client ID configured in the OIDC server for this i2b2 instance, which must match the one in the token.
  • name: "oidc_user_field", value: the name of the field that contains the OIDC username in the token, which must match the i2b2 username. Example: "preferred_username"
  • name: "oidc_token_issuer", value: the URL/name of the OIDC server instance that issued the token, which must match the one in the token. Example: "http://oidc-server:8080/auth/realms/master"

• Example of SQL inserts to configure the user "test" to be authenticated with OIDC:

INSERT INTO i2b2pm.pm_user_params VALUES (1, 'T', 'test', 'authentication_method', 'OIDC', NOW(), NOW(), 'i2b2', 'A');
INSERT INTO i2b2pm.pm_user_params VALUES (2, 'T', 'test', 'oidc_jwks_uri', 'http://oidc-server:8080/auth/realms/master/protocol/openid-connect/certs', NOW(), NOW(), 'i2b2', 'A');
INSERT INTO i2b2pm.pm_user_params VALUES (3, 'T', 'test', 'oidc_client_id', 'i2b2-local-jwt', NOW(), NOW(), 'i2b2', 'A');
INSERT INTO i2b2pm.pm_user_params VALUES (4, 'T', 'test', 'oidc_user_field', 'preferred_username', NOW(), NOW(), 'i2b2', 'A');
INSERT INTO i2b2pm.pm_user_params VALUES (5, 'T', 'test', 'oidc_token_issuer', 'http://oidc-server:8080/auth/realms/master', NOW(), NOW(), 'i2b2', 'A');

• Other infos:
  • some libraries are included
  • file edu/harvard/i2b2/pm/delegate/ServicesHandler.java: add the trigger to use the authentication with OpenID Connect
  • file edu/harvard/i2b2/pm/util/SecurityAuthenticationOIDC.java: implements the interface with the method to authenticate the user. It gets the token instead of the password, check its validity and returns true if the authentication succeeds.