OpenID Connect Relying Party
Configuring authentication with OIDC is done through a number of components. One of those components is the authenticator "OidcRP". This authenticator currently only supports Authorization Code Flow.
Example configuration
{
"alias": "oidcrp",
"name": "OidcRP",
"id": "uniqueid",
"configuration": {
"pipeID": "pipeid",
"successUrl": "https://localhost:8443/oidc/authenticate/sso",
"redirectUri": "https://localhost:8443/oidc/authenticate/oidcrp",
"secret": "verysecret",
"clientId": "phenixid-bankid-current",
"opId": "NorskBID",
"usernameAttribute": "userid",
"executeUserInfoLookup": "true"
}
}
Configuring the authenticator
Before enabling the authenticator ensure that phenix-oidc-discovery module is enabled and that the right OIDC OP has been configured for discovery.
| Name |
Description |
Default value |
Mandatory |
|---|---|---|---|
| pipeID |
pipe id of the pipe used for id token validation. | N/A | YES |
| successUrl |
Where to send the user agent after successful token validation | N/A |
YES |
| redirectUri |
URL used when communicating with the OP. | N/A |
YES |
| secret |
The client secret used validating the token | N/A |
YES |
| clientId |
Id of the client used when communicating with the OP | N/A |
YES |
| usernameAttribute |
Value considered as username in the returned item from validation pipe. | sub | YES |
| scope | The oidc scope sent to the OP | openid |
No |
| opId |
Internal id of the OP to use | N/A | Yes |
| executeUserInfoLookup |
If to perform a user info lookup in addition. https://openid.net/specs/openid-connect-core-1_0.html#UserInfo Requires the op exposing a user_info url in discovery data. Response from discovery will be sent in to the pipe in parameter "user_info". |
false | No |
| usePKCE |
Whether or not to use PKCE | false | No |
| login_hint | The login_hint sent to the OP | N/A | No |
Requirements
The pipe executed MUST respond with one item.