Table of Contents

OpenID Connect Discovery

Warning

This authenticator is a legacy authenticator. It is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture. More information about the legacy authenticators can be found here.

Note

It is possible to configure for OpenID discovery.  This is not enabled by default.

More detail about OPDC discovery can be found at: Final: OpenID Connect Discovery 1.0 incorporating errata set 2

Creating OpenID Providers

In order to enable discovery an OP needs to be configured. This is done under the Advanced menu.

Under the category "OIDC_OP" add configuration.

Example configuration

Note that tenant and id are required parameters. They must both be unique within the OIDC_OP "bucket".

Supported characters are a-z,0-9.

{
    "tenant": "myop",
    "id": "myop",
    "config": {
        "issuer": "https://integration.phenixid.se/oidc",
        "authorization_endpoint": "https://integration.phenixid.se/oidc_auth/authenticate/oidc_authz_start",
        "token_endpoint": "https://integration.phenixid.se/api/authentication/collectJWT",
        "response_types_supported": [
            "code"
        ],
        "grant_types_supported": [
            "authorization_code"
        ],
        "subject_types_supported": [
            "public"
        ],
        "id_token_signing_alg_values_supported": [
            "RS256"
        ],
        "scopes_supported": [
            "openid"
        ],
        "token_endpoint_auth_methods_supported": [
            "none"
        ],
        "claims_supported": [
            "iss",
            "ver",
            "sub"
        ],
        "end_session_endpoint": "https://integration.phenixid.se/oidc/authenticate/logout/",
        "request_parameter_supported": "true",
        "signStore": "b8835784-cb82-4fe1-87e0-b367236d855b"
    }
}

Within the "config" portion of the block above all the OP discovery data must reside. Note that only strings are valid as values. For properties of other data type the system will transform automatically en providing the output.

Apart from the parameters described Final: OpenID Connect Discovery 1.0 incorporating errata set 2 additional property "signStore" is required. This must point to a keystore uploaded at an earlier stage. This keystore should also be the one used when signing the JWT token.

Accessing the data

After adding an OP the server will expose four new URI:

  • /.well-known/openid-configuration
  • /.*/.well-known/openid-configuration
  • /.well-known/openid-configuration/jwks
  • /.*/.well-known/openid-configuration/jwks

If only ONE OP was added accessing OP discovery data is done at URI:

  • /.well-known/openid-configuration

If no value is defined in property jwks_uri  the system adds this. The construction of the value is

  • /.well-known/openid-configuration/jwks

For multi OP support access /./.well-known/openid-configuration where . is the name entered in the OP (myop in the example above).

Authentication Deprecated OIDC (OpenID Connect) Federation