OIDC compatibility

[espenfl]

Dear everyone. I have tried to set up the extension towards Azure AD using OIDC.

In that context I have a few questions:

• It seems the extension now support JWT (according to this page https://fiware-ckan-extensions.readthedocs.io/en/latest/installation-administration-guide.html). So this fits OIDC nicely. Can you confirm this?

• Given that JWT is supported, is there any point of keeping the user info endpoint? I think with the scope of oidc profile email we have everything we need for CKAN?

• Looking at the code it seems you fetch the user information from the access token. But with OIDC we can also get the id token and I would rather fetch that information from there.

• Is there a OIDC example using this plugin somewhere where we know the connection have been successful?

• Do CKAN support @ in user names?

Given that OIDC is rather strictly defined and that it support discovery as well, would it make sense to make a new plugin, or at least add a mode for OIDC only and get rid of the legacy stuff? Maybe fork of this plugin and utilize https://github.com/rohe/pyoidc or something along those lines? Do you know if anyone is working on something like this?

Thanks a lot for the work you have done on this plugin.

[aitormagan]

JWT is supported by this extension. If you want the extension to read the info from the token instead of calling another API, you should set the jwt.enable property to True as stated in the document you sent.