OIDC

NotifyBC currently can only authenticate RSA signed OIDC access or id JWT. OIDC providers such as Keycloak meet the requirement.

To enable OIDC authentication strategy, add oidc configuration object to src/config.local.js. The object supports following properties

1. discoveryUrl - OIDC discovery url
2. clientId - OIDC client id used by NotifyBC web console
3. isAdmin - a predicate function to determine if authenticated user is NotifyBC administrator. The function takes the decoded OIDC access token JWT payload as input user object and should return a boolean.
4. isAuthorizedUser - an optional predicate function to determine if authenticated user is an authorized NotifyBC user. If omitted, any authenticated user is authorized NotifyBC user. This function has same signature as isAdmin
5. jwtVerifyOptions - an optional object passed to the 3rd argument of jwt.verify that NotifyBC calls under the hood

A example of complete OIDC configuration looks like

module.exports = {
  // ...
  oidc: {
    discoveryUrl:
      'https://op.example.com/auth/realms/foo/.well-known/openid-configuration',
    clientId: 'NotifyBC',
    isAdmin(user) {
      const roles = user.resource_access.NotifyBC.roles;
      if (!(roles instanceof Array) || roles.length === 0) return false;
      return roles.indexOf('admin') > -1;
    },
    isAuthorizedUser(user) {
      return user.realm_access.roles.indexOf('offline_access') > -1;
    },
    jwtVerifyOptions: {
      // audience check
      audience: 'NotifyBC',
    },
  },
};

In NotifyBC web console and only in the web console, OIDC authentication takes precedence over built-in admin user, meaning if OIDC is configured, the login button goes to OIDC provider rather than the login form.

There is no default OIDC configuration in src/config.ts.