Enabling Web Application Users to Log In with DNAnexus Credentials
Learn how to configure your app to allow app users to log in using DNAnexus credentials.
Last updated
Was this helpful?
Learn how to configure your app to allow app users to log in using DNAnexus credentials.
Last updated
Was this helpful?
If you're the developer of a web app that will be used by DNAnexus Platform users, you can enable them to log in, easily and securely, using their Platform credentials, via the DNAnexus OIDC service. This page provides a step by step guide to configuring your app to enable OIDC login, and registering it with DNAnexus as an OIDC client.
For a sample app illustrating how this is done, .
To enable user login with DNAnexus credentials, your application must be web-based. That is, it must allow users to log in and access its functionality via a web interface. Your application must also have a privacy policy and terms of service document that are both web-accessible. You must also supply a JSON Web Key Set (JWKS) endpoint URL, to support JWT encryption of the required ID token.
As a first step, you must register your app with DNAnexus. To do this, , including the following specifications in your email:
client_name
string The name of the app that is to be configured as an OIDC client.
author_id
string The DNAnexus Platform of the user who will be able to set and reset the app's
redirect_uris
array of strings A list of one or more URLs to which user authorization requests will be directed. All must use the HTTPS protocol
homepage_uri
string The URL of the page used to access and use the app
policy_uri
string The URL of the app's privacy policy document
tos_uri
string The URL of the app's terms of service document
jwks_uri
string The URL of the app's JWKS (JSON Web Key Set)
scope
space-separated list of strings A space-separated list of scopes that the client can request as part of each authorization request. See below for a list of support scopes.
id_token_encrypted_response_alg
string The algorithm used for encryption of the Content Encryption Key (CEK). Supported values are:
id_token_encrypted_response_enc
string The algorithm used for encryption of the ID Token content. This value is optional, will default to A256CBC-HS512
. Supported values are:
Once DNAnexus Support processes your request, you will receive a confirmation that your app is registered as an OIDC client. You will also receive its client ID. The client ID is a unique string, in UUID format, that identifies your app. You will need this client ID to set up and maintain your app as an OIDC client, so store it securely.
$ dx api oidcClient-xxxx resetClientSecret
Note the following about how the DNAnexus OIDC server handles authorization requests:
Apps must request the openid
scope. App may require that any or all of the additional scopes, listed below, be included in authorization requests:
openid
string The app must always request this scope. In return, the app will receive the ID token providing identity data for the user.
user_id
string A user’s Platform username, prepended with user-
in the form user-username
(e.g. user-amy
)
name
string The user’s full name, exactly as registered when he or she created a DNAnexus user account
email
string The email address associated with the user’s DNAnexus user account
Once you've successfully registered your client and obtained the Client ID, you must next obtain a Client Secret. This is a unique string that the app will present to the DNAnexus OIDC server, along with the Client ID, during authentication. To obtain the Client Secret, use the API method , replacing "xxxx" with the app's Client ID.
Next you must configure your app to use the client ID and client secret, as part of authentication requests. The simplest way to do this is by leveraging an OIDC-compliant client library, such as .
Authorization requests are handled in keeping with the .
The is enforced
Only are supported.
ID Token has to always be encrypted using and leveraging
If you need to reset your app's client secret, you can do this via a call to the API endpoint , replacing "xxxx" with the app's client ID, as when you obtained the client secret in the first place (see above). Once a new client secret is generated, the previous secret gets invalidated momentarily.
for a sample app illustrating how to configure a web-based app to use the DNAnexus OIDC service.