Integrating OpenAthens Keystone with Auth0

Create the OpenAthens Application Record:

First set up a basic application record in Keystone as per Quickstart for OpenAthens Keystone. You’ll need to enter a placeholder for the redirect URI to get it set up - you’ll update that later with value Auth0 will generate.

Hop into the connection that was created and turn on the rule called Shortened OIDC subject (52 characters) and save.

Return to the application configuration tab as you’ll need the client ID and client Secret in the next step…

Within the Auth0 Dashboard

1. Authentication > Social

2. Create Connection

3. Choose Create Custom (last option)

4. Fill out the details

   1. The name will be displayed to users when the login method is enabled 

   2. Authorization URL: https://connect.openathens.net/oidc/auth

   3. Token URL: https://connect.openathens.net/oidc/token

   4. Scope: openid

   5. ClientID: from the SP dashboard or your notes

   6. Client Secret: From the SP dashboard or your notes

   7. Fetch User Profile Script: You need a script here to reach the OpenAthens userinfo endpoint and extract any user claims you need. At the very least you will need the scope and targetedID. Something like this bare minimum example derived from docs https://auth0.com/docs/authenticate/identity-providers/social-identity-providers/oauth2?&_ga=2.259469198.564227038.1582657563-2146598467.1582657563#fetch-user-profile-script

      JS

      function(access_token, ctx, callback) {
        const request = require('request');
        const userinfoEndpoint = "https://connect.test.openathens.net/oidc/userinfo";
        request.get(userinfoEndpoint, {
          'headers': {
            'Authorization': 'Bearer ' + access_token
          }
        }, function(error, resp, body) {
          if (error) {
            return callback(error);
          } else if (resp.statusCode !== 200) {
            return callback(new Error(body));
          } else {
          const response = JSON.parse(body);
          const profile = {
              "user_id": response.eduPersonTargetedID,
            "targetedID": response.eduPersonTargetedID,
              "eduPersonScopedAffiliation": response.eduPersonScopedAffiliation
          };
          callback(null, profile);
        }
        });
      }   

5. Save changes

6. Move on to Auth Pipeline > rules

7. Create

8. Add an empty rule. 

9. The rule needs to pass the claims you have obtained from OpenAthens into the response Auth0 sends to your local client. Something like:

   JS

   function (user, context, callback) {
     context.idToken["http://uniquenamespace/eduPersonScopedAffiliation"] = user.eduPersonScopedAffiliation;
     context.idToken["http://uniquenamespace/targetedID"] = user.targetedID;  callback(null, user, context);
   } 

    

Users should now be able to select OpenAthens and Authenticate. When they return to your site, you should be able to authorise using the claims that you receive.