Invenio as single sign on

This is I think a rather broad question, looking for a suggestion or recomendation. Also, I will apollogize in advance because probably the question has mistakes in it’s own, considering my unknowlege of this topics.
We are trying to connect several apps and systems to our Invenio instance, to propose it as a central service of several universities organizations. One of the main issues is regarding to users authentication.
We already use invenio_oauth2server to connect Angular apps users, but also users of a MongoDb/NodeJs/React stack to our Invenio. But those are internal developments. The real problem came with deployments of other systems, some are requesting a full OpenId implementation and others SAML/Shibboleth.
Regarding OpenId, there is a way of implementing OpenId using the invenio_oauth2server?, there is a plan for invenio of doing such thing?
About saml, we saw some libraries like flask_saml2 that probably could help us to use invenio as an identity provider for other systems.
But really the question is more if we are getting in a feasible direction. In the sense that there are full single sign on solutions, and in a way, we are trying to use Invenio in part as a SSO.

Just reposting my answer from the chat here:

So, Invenio was never intended to be an SSO…….only intention was to support mulitple ways of authenticating into Invenio, as people have different providers…….invenio has a concept of a local user, and all external auth providers is linked to that local account

We ended with this:

  • an instance of Keycloak for SSO
  • an instance of Invenio, connected to Keycloak
  • several Angular apps, connected to Keycloak, served in a different domain but using Invenio API REST

The problem we have now is:
A user login to an Angular App using Keycloak, but he need to be logged also in Invenio in order to use the API REST. The problem is that the token in the Angular App it’s different than the one in Invenio. We haven’t figured out how to solve this, maybe we are missing some configuration.
Any help is welcome!!!


I am not sure what is your exact problem with tokens. We have designed the authentication on Invenio from Single Page Apps using a secure cookie.
If you haven’t read it yet, here some explanations that you might find useful:

There are some useful links there with very nice explanations.

We have implemented REST authentication for a SPA in React. You can find the source code here:

(see the Axios option withCredentials)

Basically, in a few words, your SPA should:

  1. show and send login/psw to the REST endpoint or redirect to the backend which will redirect to the external login (it depends if you have local login or external login e.g. GitHub or ORCID or any other OAuth)
  2. on login success, the backend will issue a secure cookie with the session, not readable from JS, and another cookie with user info that you can read in your Angular app. You can customize the content of such cookie. You can also call a specific endpoint to fetch user info instead.
  3. your app should, on page load (and maybe from time to time?), try to call an endpoint that requires login (e.g. fetch user profile, which you would probably do on page load anyway) and if the result is 401 Unauthorized, it means that the user is not logged in or the session expired.

Can you explain more in details what tokens you are expecting?

Not a specific reply to the question, but I like OpenID Connect as a technology for federated identity management , and Globus Auth as a nice implementation. Globus is a non-profit in the research data management space and have a nice implementation of federated identity management, supporting many institutional accounts, ORCID and Google (unfortunately not GitHub). We use it at DataCite and at the PID Forum (a Discourse Forum like this one).