How to configure PhenixID Authentication Services as an OpenIDConnect Provider (OP) - using Authorization Code Flow
Warning
Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.
This document describes how to setup PhenixID Authentication Services as an OpenIDConnect Provider (OP) using OIDC Authorization Code Flow, using Advanced configuration mode.
It is recommended to use a scenario to setup this configuration.
It is recommeded to read through this document before you start to configure the service.
Add a keystore for signing tokens
Use this scenario to upload a keystore for token signing.
Add relying party trust configuration
Login to Configuration Manager
Click Advanced
Click the pen to the right of OIDC_RP
Add the relying party configuration. Example:
{ "id": "myApp", "name": "MyApp OpenID Connect RP", "displayName": "MyApp Relying Party", "password": "password", "allowedRedirects": [ "https://demo.phenixid.net/myApp/myapp.html" ] }
Parameters explained
| Name | Description |
|---|---|
| id | The id of the relying party. (client_id) |
| name | Name of relying party |
| displayName | Display name of relying party |
| password | Client password (client_secret) |
| allowedRedirects | One or more allowed urls (redirect_uri) |
Add authorization endpoint
Add the authorization endpoint by adding an HTTP authenticator of type OIDC.
In this example, a PhenixID OneTouch authenticator has been used.
{
"alias": "oidc_authz_endpoint",
"name": "OIDCUidOneTouch",
"configuration": {
"pipeID": "PipeOIDCAuthorization",
"enableHoneypot": "false",
"allowedRP": [
"myApp"
]
},
"id": "oidc_authz_endpoint"
}
In the example above, the authorization endpoint can be reached at https://<pas_server>/oidc/authenticate/oidc_authz_endpoint
Add authorization pipe
Add pipe for authorization.
{
"id": "PipeOIDCAuthorization",
"valves": [
{
"name": "InputParameterExistValidatorValve",
"enabled": "true",
"config": {
"param_name": "username"
}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "dummy"
}
},
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}",
"require_session": "true"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "redirect_uri",
"value": "{{request.redirect_uri}}"
}
},
{
"name": "UUIDCreateValve",
"enabled": "true",
"config": {
"name": "code"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "state",
"value": "{{request.state}}"
}
},
{
"name": "SessionClearAllAliasValve",
"config": {}
},
{
"name": "SessionBindValve",
"config": {
"alias": "{{item.code}}"
}
},
{
"name": "PropertyKeepValve",
"config": {
"name": "redirect_uri,state,code"
}
}
],
"created": "2017-12-21T09:53:46.595Z"
}
Add token endpoint
Open Modules
Add http authentication api module (or edit if it already exists in your configuration).
{ "module": "com.phenixidentity~phenix-api-authenticate", "enabled": "true", "config": { "tenant": [ { "id": "myApp", "displayName": "myApp RP token endpoint", "allowedOperation": [ "collectJWT" ] } ] }, "id": "http-auth-api" }Stage Changes, Commit Changes
Open System nodes
Add http-auth-api to module_refs
"module_refs": "http-auth-api,5b7efbf4-1cae-485c-811f-5bded1de0757..."
Add pipe for token creation
Add this pipe. Pipe id must correspond to "allowedOperation" used in the http api configuration. In this example, collectJWT.
Change the keystore parameter below to suite your environment.
{
"id": "collectJWT",
"valves": [
{
"name": "SessionResolveValve",
"config": {
"alias": "{{request.code}}",
"require_session": "true",
"require_auth_session": "false"
}
},
{
"name": "SessionDumpToLog",
"config": {}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "test"
}
},
{
"name": "OIDCTokenRequestValidationValve",
"config": {
}
},
{
"name": "GenerateJWTTokenVavle",
"config": {
"subjectattribute": "{{session.user_id}}",
"keystore": "e7751374-5207-4ce7-b159-de059438f32a"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "redirect_uri",
"value": "{{request.redirect_uri}}"
}
},
{
"name": "UUIDCreateValve",
"enabled": "true",
"config": {
"name": "access_token"
}
},
{
"name": "SessionClearAllAliasValve",
"config": {"_comment" : "Only needed if access_token is to be returned"}
},
{
"name": "SessionBindValve",
"config": {
"alias": "{{item.access_token}}",
"_comment" : "Only needed if access_token is to be returned"
}
}
],
"created": "2017-11-13T09:53:46.595Z"
}
The token endpoint can be reached at https://<pas_server>/api/authentication/collectJWT