VRE Backend API and Scheduler
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

3.3 KiB

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> </head>


SURFconext Logo

The authentication is done by SURFconext. This is an OpenID provider for all the Universities and schools in the Netherlands.

More documentation can be found at: https://wiki.surfnet.nl/display/SURFconextdev/Get+Conexted

In order to use SURFconext, you need to make a configuration in SURFconext and then configure the API.

This can be done at the location: https://sp.surfconext.nl/


SURFconext Configuration
  • Client ID: The name of the configuration. Use the API url as this is suggested in the GUI.
  • Redirect urls: The urls where to redirect to after login. Use localhost urls for development. For production use: https://workspaces.research.rug.nl/oidc/callback/
  • Access token validity: How long is the login token valid at SURFconext. SURFconext default 3600 seconds.
  • Is public client: Do not use this.
  • Grants: We need the Authorization code option
  • Subject type: We need the Persistent option

All other options are not required for making the OpenID connection with the Research Workspaces API.

Attention: When you save the configuration for the first time, you will get an Client secret. Save this value somewhere safe. You need it later on.


In the last part of the configuration you need to setup which information you want to receive van de OpenID provider. If this is changed, then every user needs to login again, as the login has 'changed'

More information about which claims are available can be found here: https://wiki.surfnet.nl/display/SURFconextdev/Claims


After the OpenID configuration is created at SURFconext, you need to setup the API with the right variables.

In the future there is a possibility that less variables are needed. Because the used library does not support OpendID discovery yet :

For SURFconext the well known url is: https://connect.SURFconext.nl/oidc/.well-known/openid-configuration

  • OIDC_RP_CLIENT_ID: The ID that is entered in the Client ID field. This is based on the url of the API.
  • OIDC_RP_CLIENT_SECRET: When you create a new configuration, you will be presented with a generated secret. Store this variable safely. It will not be shown again.
  • OIDC_RP_SIGN_ALGO: The signing algorithm. SURFconext uses RS256
  • OIDC_OP_AUTHORIZATION_ENDPOINT: Full url to the authorization endpoint. In the well known data it is the url at authorization_endpoint
  • OIDC_OP_TOKEN_ENDPOINT: Full url to the token endpoint. In the well known data it is the url at token_endpoint
  • OIDC_OP_USER_ENDPOINT: Full url to the user info endpoint. In the well known data it is the url at userinfo_endpoint
  • OIDC_OP_JWKS_ENDPOINT: Full url to the certification endpoint. Needed because of the RS256 algorithm. In the well known data it is the url at jwks_uri

Two other settings depends on the Research Workspaces frontend which are used after login or logout actions.

  • LOGIN_REDIRECT_URL: Where to redirect to after the login is successfully.
  • LOGOUT_REDIRECT_URL: Where to redirect to after the logout is successfully.