Table of Contents

OpenID Connect Relying Party

Warning

This authenticator is a legacy authenticator. It is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture. More information about the legacy authenticators can be found here.

Note

Configuring authentication with OIDC is done through a number of components. One of those components is the authenticator "OidcRP". This authenticator currently only supports Authorization Code Flow.

Example configuration

{
    "alias": "oidcrp",
    "name": "OidcRP",
    "id": "uniqueid",
    "configuration": {
        "pipeID": "pipeid",
        "successUrl": "https://localhost:8443/oidc/authenticate/sso",
        "redirectUri": "https://localhost:8443/oidc/authenticate/oidcrp",
        "secret": "verysecret",
        "clientId": "phenixid-bankid-current",
        "opId": "NorskBID",
        "usernameAttribute": "userid",
        "executeUserInfoLookup": "true"
    }
}

Configuring the authenticator

Before enabling the authenticator ensure that phenix-oidc-discovery module is enabled and that the right OIDC OP has been configured for discovery.

Name Description Default value Mandatory
pipeID
 pipe id of the pipe used for id token validation. N/A YES
successUrl
 Where to send the user agent after successful token validation N/A
 YES
redirectUri
 URL used when communicating with the OP. N/A
 YES
secret
 The client secret used validating the token N/A
 YES
clientId
 Id of the client used when communicating with the OP N/A
 YES
usernameAttribute
 Value considered as username in the returned item from validation pipe. sub YES
scope The oidc scope sent to the OP openid
 No
opId
 Internal id of the OP to use N/A Yes
executeUserInfoLookup
 If to perform a user info lookup in addition.
Final: OpenID Connect Core 1.0 incorporating errata set 2
Requires the op exposing a user_info url in discovery data. Response from discovery will be sent in to the pipe in parameter  "user_info".
 false No
usePKCE
 Whether or not to use PKCE false No
login_hint The login_hint sent to the OP N/A No

Requirements

The pipe executed MUST respond with one item.

Authentication Deprecated OIDC (OpenID Connect) Federation