OIDC
NotifyBC currently can only authenticate RSA signed OIDC access token if the token is a JWT. OIDC providers such as Keycloak meet the requirement.
To enable OIDC authentication strategy, add oidc configuration object to src/config.local.js. The object supports following properties
- discoveryUrl - OIDC discovery url
- clientId - OIDC client id
- isAdmin - a predicate function to determine if authenticated user is NotifyBC administrator. The function takes the decoded OIDC access token JWT payload as input user object and should return either a boolean or a promise of boolean, i.e. the function can be both sync or async.
- isAuthorizedUser - an optional predicate function to determine if authenticated user is an authorized NotifyBC user. If omitted, any authenticated user is authorized NotifyBC user. This function has same signature as isAdmin
A example of complete OIDC configuration looks like
module.exports = {
...
oidc: {
discoveryUrl:
'https://op.example.com/auth/realms/foo/.well-known/openid-configuration',
clientId: 'NotifyBC',
isAdmin(user) {
const roles = user.resource_access.NotifyBC.roles;
if (!(roles instanceof Array) || roles.length === 0) return false;
return roles.indexOf('admin') > -1;
},
isAuthorizedUser(user) {
return user.realm_access.roles.indexOf('offline_access') > -1;
},
},
};
In NotifyBC web console and only in the web console, OIDC authentication takes precedence over built-in admin user, meaning if OIDC is configured, the login button goes to OIDC provider rather than the login form.
There is no default OIDC configuration in src/config.ts.