Description
The enterprise OAuth/OIDC plugin ships as an OSGI bundle with no portlet UI, configuration lives in opaque App secrets with no validation, and the implementation lacks modern OIDC security practices (PKCE, id_token validation, algorithm pinning, SSRF guards). Operators configure it by copy-pasting secrets and hoping for the best.
This epic migrates the entire OAuth/OIDC (and SAML passthrough) authentication surface into dotCMS core as a first-class feature called dotAuth, replacing the plugin with:
Portlet UI — per-site SSO configuration with protocol selection (OAuth/OIDC or SAML), OIDC discovery auto-population, group-to-role mapping, and a headless token-exchange section for SPA consumers.
OIDC-first security — PKCE (S256), id_token signature verification against the IdP's JWKS, algorithm allow-listing, nonce replay protection, constant-time state comparison, and SSRF guards on all admin-configured URLs.
Headless SPA token exchange — /api/v1/dotauth/oauth/exchange validates an externally-obtained OIDC id_token and issues a dotAuth session-ref, enabling Next.js / SPA front-ends to call dotCMS content APIs with per-user permissions without a browser session.
IdP-driven role sync — configurable BuildRolesStrategy (ALL, IDP, STATICONLY, STATICADD, NONE) mirroring SAMLHelper's role-wipe-and-reapply semantics so IdP-side group removal actually takes effect in dotCMS.
Config portability — encrypted export/import of dotAuth secrets (OAuth, SAML, headless) scoped to dotAuth app keys only, with admin-gated endpoints.
Multi-provider trust — trusted IdP list for the exchange endpoint, allowing multiple OIDC issuers to mint tokens that dotCMS will accept for a single site.
Desired Outcome
The enterprise OAuth OSGI plugin can be uninstalled with no loss of functionality. Operators configure SSO through the dotAuth portlet instead of raw App secrets. Headless SPA consumers (e.g. Next.js + Okta) can authenticate against dotCMS without a server-side session or proxy. OIDC security posture meets current best practices.
Deliverables
- dotAuth portlet (Angular): site list, per-site config, headless config
- REST surface:
/api/v1/dotauth/* (CRUD, export/import, discovery, session revoke)
- Exchange endpoint:
/api/v1/dotauth/oauth/exchange (id_token → session-ref)
- OAuthWebInterceptor: login redirect, callback, logout (browser flow)
- OIDC provider: discovery cache, JWKS cache, id_token validation
- Session cache: DotAuthSessionCache registered in CacheLocator
- Unit + integration tests across all layers
Target Personas
Links
Description
The enterprise OAuth/OIDC plugin ships as an OSGI bundle with no portlet UI, configuration lives in opaque App secrets with no validation, and the implementation lacks modern OIDC security practices (PKCE, id_token validation, algorithm pinning, SSRF guards). Operators configure it by copy-pasting secrets and hoping for the best.
This epic migrates the entire OAuth/OIDC (and SAML passthrough) authentication surface into dotCMS core as a first-class feature called dotAuth, replacing the plugin with:
Portlet UI — per-site SSO configuration with protocol selection (OAuth/OIDC or SAML), OIDC discovery auto-population, group-to-role mapping, and a headless token-exchange section for SPA consumers.
OIDC-first security — PKCE (S256), id_token signature verification against the IdP's JWKS, algorithm allow-listing, nonce replay protection, constant-time state comparison, and SSRF guards on all admin-configured URLs.
Headless SPA token exchange —
/api/v1/dotauth/oauth/exchangevalidates an externally-obtained OIDC id_token and issues a dotAuth session-ref, enabling Next.js / SPA front-ends to call dotCMS content APIs with per-user permissions without a browser session.IdP-driven role sync — configurable BuildRolesStrategy (ALL, IDP, STATICONLY, STATICADD, NONE) mirroring SAMLHelper's role-wipe-and-reapply semantics so IdP-side group removal actually takes effect in dotCMS.
Config portability — encrypted export/import of dotAuth secrets (OAuth, SAML, headless) scoped to dotAuth app keys only, with admin-gated endpoints.
Multi-provider trust — trusted IdP list for the exchange endpoint, allowing multiple OIDC issuers to mint tokens that dotCMS will accept for a single site.
Desired Outcome
The enterprise OAuth OSGI plugin can be uninstalled with no loss of functionality. Operators configure SSO through the dotAuth portlet instead of raw App secrets. Headless SPA consumers (e.g. Next.js + Okta) can authenticate against dotCMS without a server-side session or proxy. OIDC security posture meets current best practices.
Deliverables
/api/v1/dotauth/*(CRUD, export/import, discovery, session revoke)/api/v1/dotauth/oauth/exchange(id_token → session-ref)Target Personas
Links
feat/dotauth-core-migration