OIDC

OpenID Connect at CSAIL

If you’ve been around MIT - more especially at CSAIL - for a while, you have probably become accustomed to using “web certificates” as a way to log yourself into the various Web-based applications around campus, like Atlas, Peeps, and many other popular sites. MIT adopted the use of web certificates in 1996 to allow its community a way to log into many different sites without having to remember a username and password for each site.

Fast forward a decade or so, and a new kind of central login method was adopted at MIT: Touchstone, which not only allowed users to use web certificates, but also allowed them to use their Athena username and password, or even existing Kerberos tickets (see http://kb.mit.edu/confluence/display/istcontrib/Touchstone+FAQ for more info).

Fast forward another decade, and CSAIL has adopted the next generation login system: OpenID Connect, or OIDC. MIT central campus also has a pilot program for OIDC; however, they are less motivated to get it integrated into campus applications because they already have Touchstone. CSAIL has been highly motivated to roll out OIDC because in the very near future, major web browser vendors like Mozilla and Google will end support for web certificate authentication in their browsers. In fact, OIDC at CSAIL has replaced web certificates entirely for client authentication.

What is OpenID Connect?

There’s a technical description of OIDC you can read at http://openid.net/connect/ if you want to know all the details, but in short, OIDC is a service that we run at CSAIL on our own servers that allows you to authenticate to services like WebDNS, DHREG, the CSAIL website, and many more, by using your CSAIL Kerberos account.

You no longer need to obtain certificates every year or worry about which one(s) you have in your browser. You can also use pretty much all the modern browsers.

Using OpenID Connect

Most of the time, OIDC is relatively transparent to you. You will use OIDC when you need to authenticate to a secure CSAIL website. When you first visit a secure CSAIL website, you are temporarily redirected to the OIDC server. There you will simply enter your CSAIL username and password and click “Login”. You are then returned and logged into the secured website. 1

If you’re on a system where you regularly get CSAIL Kerberos tickets already – like a CSAIL Ubuntu workstation – then you may find it convenient to use your existing Kerberos tickets to log in to OIDC. See Configuring Browsers below.

OIDC for developers and web a

If you are the administrator of a CSAIL website that currently uses CSAIL certificates, see Restricting your website with OIDC and .htaccess

Configuring browsers to use existing Kerberos tickets

Advanced / Optional

If you’re on a system where you regularly get CSAIL Kerberos tickets already – like a CSAIL Ubuntu workstation – then you may find it convenient to use your existing tickets to authenticate.

Firefox

Firefox supports this out of the box, but it requires a bit of extra configuration. You’ll need to go to about:config (if you haven’t done this before, Firefox will ask you if you really want to) and set the preference network.negotiate-auth.trusted-uris to .csail.mit.edu

If your system is particularly weird, you might also have to set network.negotiate-auth.using-native-gsslib and/or network.negotiate-auth.gsslib – ask TIG to help you with these settings if just setting trusted-uris doesn’t work.

We haven’t found a way to make Firefox use Kerberos on Windows reliably. The procedure described above works for Firefox on other operating systems with official Firefox binary packages.

Safari

Whether Safari supports Kerberos authentication depends on the version of macOS and Safari you have. Kerberos login to OIDC has been confirmed to work automatically in Safari 10.1 on Yosemite and newer macOS releases, with no special configuration.

Chromium/Google Chrome

As with Firefox, Chrome requires that domains be explicitly permitted to use Kerberos authentication. Furthermore, on Windows, Chrome uses the system SSPI libraries and not the MIT Kerberos for Windows or AuriStor Heimdal libraries which you may already have installed. How to configure Chrome policies unfortunately also varies across the three platforms.

Integrating OIDC Authentication Into Your Apps

If you are writing a custom web application, and would like to allow users with CSAIL accounts to log in, you can register a client with the CSAIL OIDC Service. To do so, you must have a current CSAIL account. Get started by visiting the self-service client registration URL at: https://oidc.csail.mit.edu/manage/dev/dynreg.

An example application built using Python (Django and mozilla-django-oidc) can be viewed on TIG’s gitlab instance: https://cygnus-x1.csail.mit.edu/tig/example-django-oidc


  1. Your first time authenticating to a webserver, you will first will need to authorize it. You will only need to do this once per webserver. For example, after authorizing https://groups.csail.mit.edu/tig/oidc/ the first time, any website on groups.csail.mit.edu will not require authorization. ↩︎