OpenID Connect Relying Party

Configuring authentication with OIDC is done through a number of components. One of those components is the authenticator "OidcRP". This authenticator currently only supports Authorization Code Flow. 


Example configuration

{
    "alias": "oidcrp",
    "name": "OidcRP",
    "id": "uniqueid",
    "configuration": {
        "pipeID": "pipeid",
        "successUrl": "https://localhost:8443/oidc/authenticate/sso",
        "redirectUri": "https://localhost:8443/oidc/authenticate/oidcrp",
        "secret": "verysecret",
        "clientId": "phenixid-bankid-current",
        "opId": "NorskBID",
        "usernameAttribute": "userid",
        "executeUserInfoLookup": "true"
    }
}

Configuring the authenticator

Before enabling the authenticator ensure that phenix-oidc-discovery module is enabled and that the right OIDC OP has been configured for discovery.

Name
Description
Default value
Mandatory
pipeID
pipe id of the pipe used for id token validation. N/A YES
successUrl
Where to send the user agent after successful token validation N/A
YES
redirectUri
URL used when communicating with the OP. N/A
YES
secret
The client secret used validating the token N/A
YES
clientId
Id of the client used when communicating with the OP N/A
YES
usernameAttribute
Value considered as username in the returned item from validation pipe. sub YES
scope The oidc scope sent to the OP  openid
No
opId
Internal id of the OP to use N/A Yes
executeUserInfoLookup
If to perform a user info lookup in addition.
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
Requires the op exposing a user_info url in discovery data. Response from discovery will be sent in to the pipe in parameter  "user_info".
false No
usePKCE
Whether or not to use PKCE false No
login_hint The login_hint sent to the OP N/A No

Requirements

The pipe executed MUST respond with one item.