I understand that there is OIDC support already built-in to the web and it works well, while the equivalent support for Mobile (Capture app & SDK) is underway. I scanned the existing JIRA issues related to OIDC + Android but could not understand if 2.37 (and 2.36) is still targeted. Could you let us know if this is accurate? Is it waiting on a server-side implementation or a SDK implementation, or both? Can I follow a specific Jira issue for it?
Thank you!
Hi @dhuser,
the android app and the SDK includes support for OIDC since version 2.4 (SDK 1.4), but it requires to include some extra information in application manifest about the provider, which actually means to build your own apk. More information about this: Modifying the APK · dhis2/dhis2-android-capture-app Wiki · GitHub. We will explore ways to make it more “plug-and-play” in the next version. Maybe @Pablo could give more info about this.
This is the relevant ticket in the backend ([DHIS2-10337] - Jira). It is supported since 2.36.3.
Thanks @vgarciabnz – regarding JWT bearer token authentication required for an API-only auth with the Android app, is this piece in the docs accurate?
DHIS2 currently only supports using Google as an OIDC provider when using JWT tokens
from docs.dhis2.org –
However, given the Android wiki guideline on configuring OIDC state that Azure is supported.
The question is whether JWT bearer token authentication with Azure AAD supported on Android (2.4+ / 2.36.3+)?
We’re currently getting a
{"httpStatus":"Unauthorized","httpStatusCode":401,"status":"ERROR","message":"invalid_token","devMessage":"Invalid issuer"}
thrown at this line.
thank you
Hi David,
we have currently only tested JWT tokens with Google as provider.
That said, it should be possible to use with others since it should be standardized and similar to other providers, there are of course always small differences, so it needs to be tested to be sure.
The error you get seems to be that the issuer lookup fails. I really need to know you dhis.conf file and what the issuer value is. I could compile a version with some extra debugging you can run, and if I can look at your dhis.conf (without the secrets…), we might figure something out.
Hi @netroms , thanks a lot for your feedback.
Below the relevant parts of the dhis.conf file (minus the db connection). The values in {brackets} are placeholders for the actual values.
Please let us know if more details would help, happy to share more details by email.
oidc.oauth2.login.enabled = on
oidc.logout.redirect_url=https://dhis2.test.organization.org/dhis
oidc.provider.azure.0.tenant={tenant_id}
oidc.provider.azure.0.client_id={client_id}
oidc.provider.azure.0.client_secret={secret_value}
oidc.provider.azure.0.redirect_url=https://dhis2.test.organization.org/dhis
oidc.provider.azure.0.mapping_claim=email
oidc.provider.azure.0.support_logout=true
oauth2.authorization.server.enabled=off
oidc.jwt.token.authentication.enabled=on
oidc.provider.azure.ext_client.0.client_id={client_id}
oidc.provider.azure.0.issuer_uri=https://login.microsoftonline.com/{tenant_id}/v2.0
edit:
we haven’t yet put it into the dhis.conf yet, but PKCE will need to be enabled too:
oidc.provider.azure.enable_pkce = true
We have further tested JWT tokens in companion with the Android Capture app but are facing a critical issue during data sync.
We can log in, download data… however, all data sync attempts are denied even with the user having ‘ALL’ authority. The equivalent Basic Auth command works (e.g. POST /api/dataValues).
This has been logged with more details in DHIS2-12593. @netroms can you confirm that POST requests should also be supported, and if so what could be potentially blocking it?
Hi @diallotafsir52 , I know this was reported as an Android issue but it seems it was a problem in the backend therefore it should be included and fixed in the next release it seems. Probably you want to follow the JIRA [DHIS2-12593] - Jira to know more about this.
Let me know if it is not clear.
Cheers.
