OIDC JWT Starter

Enonic version: 7.6
OS: Ubuntu


I’m not much used to handle users in XP, so this area is fairly new to me.
I’d like to set a JWT auth system on a headless server and the first thing I saw was this: GitHub - enonic/app-oidc-jwt-idprovider.
But I guess I’ll need a direction here, as I’m unable to get a prototype working after following the steps in Configuration (I’m not sure how do I use the app’s features). Can someone give me a hint?

Note: I’m also new on Enonic Headless


Hi maaubt.

This app has not been released yet. We are using it for some internal projects. That being said, we would love to get some feedback on it.

I assume you have created a new idprovider in the XP admin using this application. The only thing you need to set to get it working is the well-know endpoint. The other defaults should be good enough.

Lets say that the idprovider you created is called jwt, the next thing you need to do is to add a vhost that uses this id provider. You do that in the com.enonic.xp.web.vhost.cfg configuration file:

enabled = true

# Use system idprovider for the admin
mapping.admin.host = localhost
mapping.admin.source = /admin
mapping.admin.target = /admin
mapping.admin.idProvider.system = default

# Use JWT idprovider for the app
mapping.app.host = localhost
mapping.app.source = /
mapping.app.target = /webapp/name.of.app
mapping.app.idProvider.jwt = default

Have you done these steps?

Hi gbi,

I’ve not done exactly like this. I still need the wke you pointed out (I haven’t realized the default one wouldn’t be working).

I indeed created an idprovider in XP admin Users and a vhost similar to yours (though I did a ‘/’ → ‘/’ in source → target).
Pardon me if it’s a silly question, but do I need to use any special set of functions (maybe portalLib.loginUrl or authLib related) in this case to ensure the user is logged in and, if not, redirect it to log in page? (I’m really not used to deal with this in Enonic)

In general you should try to separate authentication logic and your apps logic. Let the id provider to the redirects if the user is not authenticated. You can trigger that in your app by returning 401 from your endpoint.

Use roles in your app to say who can and cannot do certain things. The hasrole function is perfect for that. If you want to do some other checks you can use the Authentication Library.

The Content library respects user permissions, so you should be able fetch content without to much thought into authorization in your apps logic.

I suggest create a small demo app where you log the user of the requests. Play around with different logic. Something like:

const authLib = require('/lib/xp/auth');

exports.get = function(request) {
  var user = authLib.getUser();
  log.info('User %s', JSON.stringify(user, null, 4));

  // If user is anonymous, return 401 maybe ??

  // If user is missing required role, return 403.
  if(!auth.hasRole('system.admin')) {
    return {
      status: 403,
  // Return actual results
  return {
    body: 'Hello ' + user.displayName,
    contentType: 'text/plain'
1 Like