This plugin is for use with XNAT 1.7.5.x+ releases.
There are 2 ways to deploy XNAT-Web:
When you have deployed the specific version of XNAT Web, you will need to deploy this XNAT plugin. For more information, please XNAT documentation on how to deploy plugins.
Again there are 2 ways to accomplish this:
-
Download the latest development version here
-
Copy the plugin jar to your plugins folder:
cp build/libs/xnat-openid-auth-plugin-all-1.0.0-SNAPSHOT.jar /data/xnat/home/plugins
To build the XNAT OpenID authentication provider plugin:
-
If you haven't already, clone this repository and cd to the newly cloned folder.
-
Build the plugin:
./gradlew clean xnatPluginJarOn Windows, you can use the batch file:
gradlew.bat clean fatJar
This should build the plugin in the file build/libs/xnat-openid-auth-plugin-all-1.0.0-SNAPSHOT.jar (the version may differ based on updates to the code).
-
Build the plugin jar or download the latest development version here
-
Optionally run the tests:
./gradlew clean test -
Copy the plugin jar to your plugins folder:
cp build/libs/xnat-openid-auth-plugin-all-1.0.0-SNAPSHOT.jar /data/xnat/home/plugins
After deploying the plugin, you will need to configure it.
XNAT searches for authentication plugin configurations by looking for files whose names match the pattern:
*-provider.properties
It looks in the following locations:
- On the classpath in the folder META-INF/xnat/auth
- In a folder named auth under the XNAT home folder (usually configured with the xnat.home system variable)
This plugin will use any entries located in any of those properties files where the property type is set to "openid". See the sample properties in the resources directory.
Multiple open-id authentication servers can be configured using multiple properties file.
The following properties control the plugin:
An authentication provider is identified using the provider.id value. The value should be unique across all authentication providers deployed in XNAT. localdb is a reserved provider id for the authentication performed by XNAT using the database.
The main domain, needed to build the full preEstablishedRedirUri
The return leg of OpenID request after the provider has authenticated, defaults to <siteUrl>/openid-login
The ID obtained on app registration
The Secret obtained on app registration
Controls the scopes returned by the server: openid,profile,email
Controls the link HTML snippet displayed on the Login page for this provider. Location of the link text can optionally be customised by modifying Login.vm.
Controls whether domains of the email should be compared against the whitelist: allowedEmailDomains.
Comma delimted whitelist of domains.
Allows skipping of user creation, usually set to true.
Standard XNAT provider attribute that sets the enabled property of new users. Set to false to require admins to manually enable users before allowing logins, set to true to allow immediate access.
Standard XNAT provider attribute that sets the verified property of new users. Set to true to automatically verify new users, false to require email verification or manual verification by an administrator.
The optional URI of the UserInfo endpoint. If present then a call will be exchanged to this endpoint to collect additional information about the user.
The property names used to populate user information during user creation. These are the property names from the information returned from the authentication provider.
Flag to enable the PKCE feature in the authrozation code grant flow
Default pattern to define auth_user field of the xhbm_xdat_user_auth table
Optional algorithm for ID token encryption. When configured, XNAT will generate and publish public encryption keys that OpenID providers can use to encrypt ID tokens before sending them to XNAT.
Supported algorithms: RSA1_5, RSA-OAEP, RSA-OAEP-256, RSA-OAEP-384, RSA-OAEP-512
Example: openid.keycloak.idTokenEncryptionAlgorithm=RSA-OAEP-256
When ID token encryption is configured, XNAT automatically manages encryption keys as follows:
- Database-backed storage: Encryption keys are stored in the XNAT database (in the preferences system)
- Automatic sharing: Keys are automatically shared across all nodes in load-balanced environments
- Persistent across restarts: Keys are generated once and reused on subsequent Tomcat restarts
- No manual configuration required: Keys are automatically generated on first startup if they don't exist
OpenID providers can retrieve public keys from the JWKS (JSON Web Key Set) endpoint:
https://your-xnat-domain/xapi/openid/.well-known/jwks.json
This endpoint is publicly accessible and returns only public keys (private keys remain secure in the database).
To rotate encryption keys:
- Delete the stored key from the XNAT database directly via SQL:
DELETE FROM xhbm_preference p USING xhbm_tool t WHERE t.id = p.tool AND t.tool_id = 'openid' AND p.name = 'jwk-RSA-OAEP-256';
- Restart all Tomcat instances (the primary node will generate a new key on startup)
- Update your OpenID provider to fetch the new public key from the JWKS endpoint
Note: All nodes must be restarted to pick up the new key. Simply deleting from the database won't update in-memory keys on running nodes.
Check if a key exists in the database (admin-only):
curl -u admin:password https://your-xnat/xapi/openid/keys/RSA-OAEP-256Returns true if the key exists, false otherwise.
- Backup: Encryption keys are included in standard XNAT database backups
- Recovery: Restore the database to recover keys
- Important: If keys are lost, OpenID providers must re-fetch the new public key after key regeneration
No special configuration is required for load-balanced environments:
- All nodes automatically share the same keys via the database
- No file synchronization needed
- No per-node key generation issues
When encryption is enabled:
- Primary node: Generates encryption keys on first startup and persists them to the database
- Non-primary nodes: Wait for the primary node to generate keys, checking the database with exponential backoff
- Timeout: Non-primary nodes will retry for up to ~5 minutes before failing if keys are not available
Important considerations:
- Startup order: If all nodes start simultaneously, non-primary nodes will wait for the primary node to complete key generation
- Primary node delays: If the primary node is slow to start or fails during startup, non-primary nodes may timeout waiting for keys
- Recommendations:
- For initial deployment with encryption enabled, start the primary node first
- Ensure the primary node is healthy before starting additional nodes
- Monitor logs on non-primary nodes for key loading status
- In case of timeout errors, verify the primary node has started successfully and keys are in the database
Sample configuration files are found here. Please note the need to rename these files before usage, see opening section of the file.