Configure OIDC-Enabled Drupal 9/10 Site to Restrict Access Using MCommunity Groups

Environment

Drupal 9/10 CMS, AFS virtual host

Issue

Configure OIDC-enabled Drupal 9/10 site to restrict access using MCommunity groups

Please Note: You must have the "Groups Released" option configured for your OIDC client to function correctly. If you provisioned your OIDC client via the Web Service portal you can update the configuration there.

IMPORTANT SECURITY NOTE:  Per the Drupal core release cycle, Drupal 9 end-of-life and end of security support was reached on November 1, 2023.  References to Drupal 9 are still retained in this document for now, but no new Drupal sites should be installed based on Drupal 9.x.  Please install new sites based on Drupal 10.  Existing Drupal 9 sites are strongly encouraged to upgrade to Drupal 10 as soon as possible to minimize exposure to any potential security issues with (now unsupported) Drupal 9 in the future.

Resolution

Authorization for access to pages in OIDC-enabled Drupal 9/10 sites can be managed using the "umichoidc" module.

This Knowledge Base article assumes you have installed and configured Drupal 9/10 and the "openid_connect" module in the AFS Virtual Web Hosting service via the following instructions:

Please ensure you have followed these documented processes before proceeding.

  1. Download and install the "umichoidc" module using composer
    1. You should have your own locally-installed composer command for your site.  See the instructions in step #4 of the knowledge article "Install Drupal 9/10 CMS in an AFS-Based Virtual Host" to see how to install composer within your {{doc_root}} directory.
cd {{doc_root}}
composer require its-webhosting/umichoidc:1.x
  1. The module will be installed in {{doc_root}}/modules/contrib/.
  1. Navigate to "Manage → Extend → wwsauth", check the check box (under umich) and press the "Install" button.  If OpenID Connect has not yet been installed or was not checked it will prompt you to include OpenID Connect.  If you see the prompt indicating that "You must enable the OpenID Connect module to install wwsauth.  Would you like to continue with the above?", press the "Continue" button.
  2. After installation, permissions settings for the module will need to be configured
  1. Navigate to "Manage → People → Roles", add Roles with names matching MCommunity group names.
  2. Navigate to "Manage → Configuration → OpenID Connect", Check the checkbox next to "Wolverine Web Services", and UNcheck the checkbox next to "Generic".
  3. Configure the plugin using the following settings:
    Setting Name Setting Value
    Client ID ${OIDC_ID}
    Client Secret ${OIDC_SECRET}
    OIDC managed Roles {Select Roles matching the MCommunity groups}
    Override registration settings unchecked
    OpenID buttons display in user login form {site admin preference}
    Automatically connect existing users unchecked
  4. Save the updated settings using the 'Save configuration' button at the bottom of the configuration page
  • As you add/remove users in the MCommunity group(s), this module will add/remove Drupal roles delineated with a special prefix for the user as they login
  • These roles DO NOT sync with MCommunity
    • When someone logs in, if they are a member of the corresponding MCommunity group, they will be added to the Drupal role at the time of login
  • Expect to maintain membership in the MCommunity group but the Drupal role will likely never reflect more than a snapshot of the MCommunity group membership at any given time
    • The membership in the role will only be accurate at any given time for the person who has logged in

Additional Information

Need additional information or assistance? Contact the ITS Service Center.