OAuth at MIT (deprecated)

IMPORTANT: The MIT OpenID Connect Pilot should not be used. See our Touchstone / SAML docs instead. We have a few legacy applications still using this so the documentation will remain.

The MIT OpenID Connect pilot includes an OAuth provider which you can use for authentication. Documentation for MIT’s OAuth implementation is available in the Knowledge Base. (This is different from, and superior to, the documentation on the OIDC web site.)

Code you can reuse

The Libraries have already written several OAuth integrations you can and should reuse where applicable:

• Rails

• Flask

• Django, as part of the solenoid project (see solenoid/userauth/backends.py)

Policy

There is ITDD policy on the use of Heroku, which may be relevant to you if you using OAuth.

• Apps that don’t require end-user authentication may be deployed to Heroku.

• Apps that use, store, or consume sensitive data require multi-factor/DUO authentication and therefore may not be deployed on Heroku.

• Other apps that do require end-user authentication may be deployed to Heroku (and use OIDC) if the work falls into one of these categories:

  • The development work is clearly identified as an experiment/POC only and not intended for production, or

  • The project is in the early stages of development, and will ultimately be transferred to a VM for production, or

  • The app will only be used by fewer than 5 users from the Libraries staff, and no other user types, or

  • You have cleared the use of Heroku/OIDC with the ITDD leadership team for a special case.