RPBroker
Note
This authenticator delegates the authentication to a trusted (internal or external) OIDC OP. It authenticates by sending an authentication request to that OP and then validating the id_token. This authenticator currently only supports Authorization Code Flow.
Configuring the authenticator
Before enabling the authenticator ensure that phenix-oidc-discovery module is enabled and that the right OIDC OP has been configured for discovery. This is important and required even if the target OP is internal.
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| pipeID | pipe id of the pipe used for id token validation. | N/A | YES |
| rpID | Internal ID of the OIDC Relying party to use | N/A | YES |
| usernameAttribute | Value considered as username in the returned item from validation pipe. | sub | YES |
| scope | The oidc scope sent to the OP (EXPANDABLE) | openid | No |
| opId | Internal id of the OP to use | N/A | Yes |
| executeUserInfoLookup | If to perform a user info lookup in addition. Final: OpenID Connect Core 1.0 incorporating errata set 2 Requires the op exposing a user_info url in discovery data. Response from discovery will be sent in to the pipe in parameter "user_info". |
false | No |
| usePKCE | Whether or not to use PKCE | true | No |
| useNonce | Whether or not to use Nonce | true | No |
| loginHint | The login_hint sent to the OP (EXPANDABLE) | N/A | No |
| acrValues | The acr_values sent to the OP (EXPANDABLE) | N/A | No |
| redirectUrlOverride | The redirect URL to use. Normally, the current URL will be sent as redirect url (since the URL will be different depending on the protocol entrypoint, or IDP), but that will be overridden if this property is set. Note that if this option is set, the authenticator will only function for that protocol and IDP ID. |
N/A | No |
Example configuration
{
"id" : "6b216eaa-fd5b-49c2-ae86-f809a348c24e",
"alias" : "rpbroker",
"name" : "RPBroker",
"displayName" : "rpbroker",
"configuration" : {
"pipeID" : "bb386174-090e-439b-81bb-ea19be41c6cf",
"opID" : "my_oidc_op_id_2",
"rpID" : "broker",
"usePKCE" : "true",
"useNonce" : "true",
"doUserInfoLookup" : "false",
"usernameAttribute" : "sub",
"loginHint" : "{{session.userSource}}",
"acrValues" : ["myacrValue1", "{{request.myacrValue2}}"]
},
"created" : "2023-12-08T09:44:50.897Z"
}
Requirements
The pipe executed MUST respond with one item. The phenix-oidc-discovery module must be enabled so that the OIDC OP's endpoints can be saved and used for the authentication. This is required even if the target OP is internal.