Enabling Web Application Users to Log In with DNAnexus Credentials

If you're the developer of a web app that will be used by DNAnexus Platform users, you can enable them to log in, easily and securely, using their Platform credentials, via the DNAnexus OIDC service. This page provides a step by step guide to configuring your app to enable OIDC login, and registering it with DNAnexus as an OIDC client.

For a sample app illustrating how this is done, .

Configuring Your Web-Based Application to Allow Login with DNAnexus Credentials

Prerequisites

To enable user login with DNAnexus credentials, your application must be web-based. That is, it must allow users to log in and access its functionality via a web interface. Your application must also have a privacy policy and terms of service document that are both web-accessible. You must also supply a JSON Web Key Set (JWKS) endpoint URL, to support JWT encryption of the required ID token.

Step 1. Register Your App with DNAnexus and Obtain a Client ID

As a first step, you must register your app with DNAnexus. To do this, , including the following specifications in your email:

• client_name string The name of the app that is to be configured as an OIDC client.

• author_id string The DNAnexus Platform of the user who will be able to set and reset the app's

• redirect_uris array of strings A list of one or more URLs to which user authorization requests will be directed. All must use the HTTPS protocol

• homepage_uri string The URL of the page used to access and use the app

• policy_uri string The URL of the app's privacy policy document

• tos_uri string The URL of the app's terms of service document

• jwks_uri string The URL of the app's JWKS (JSON Web Key Set)

• scope space-separated list of strings A space-separated list of scopes that the client can request as part of each authorization request. See below for a list of support scopes.

• id_token_encrypted_response_alg string The algorithm used for encryption of the Content Encryption Key (CEK). Supported values are:

  Copy

  "A256KW",
  "ECDH-ES",
  "RSA-OAEP",
  "RSA-OAEP-256"

• id_token_encrypted_response_enc string The algorithm used for encryption of the ID Token content. This value is optional, will default to A256CBC-HS512 . Supported values are:

  Copy

  "A256CBC-HS512",
  "A256GCM"

Once DNAnexus Support processes your request, you will receive a confirmation that your app is registered as an OIDC client. You will also receive its client ID. The client ID is a unique string, in UUID format, that identifies your app. You will need this client ID to set up and maintain your app as an OIDC client, so store it securely.

Step 2. Obtain Your Client Secret

$ dx api oidcClient-xxxx resetClientSecret

Step 3. Configure Your App to Use the Client ID and Client Secret

Note the following about how the DNAnexus OIDC server handles authorization requests:

Step 4. Configure Your App to Request Information from Users

Apps must request the openid scope. App may require that any or all of the additional scopes, listed below, be included in authorization requests:

• openid string The app must always request this scope. In return, the app will receive the ID token providing identity data for the user.

• user_id string A user’s Platform username, prepended with user- in the form user-username (e.g. user-amy)

• name string The user’s full name, exactly as registered when he or she created a DNAnexus user account

• email string The email address associated with the user’s DNAnexus user account

Resetting Your App's Client Secret

Learn More