OpenID Connect Relying Party
Configuring authentication with OIDC is done through a number of components. One of those components is the authenticator "OidcRP". This authenticator currently only supports Authorization Code Flow.
Example configuration
{ "alias": "oidcrp", "name": "OidcRP", "id": "uniqueid", "configuration": { "pipeID": "pipeid", "successUrl": "https://localhost:8443/oidc/authenticate/sso", "redirectUri": "https://localhost:8443/oidc/authenticate/oidcrp", "secret": "verysecret", "clientId": "phenixid-bankid-current", "opId": "NorskBID", "usernameAttribute": "userid", "executeUserInfoLookup": "true" } }
Configuring the authenticator
Before enabling the authenticator ensure that phenix-oidc-discovery module is enabled and that the right OIDC OP has been configured for discovery.
Name |
Description |
Default value |
Mandatory |
---|---|---|---|
pipeID |
pipe id of the pipe used for id token validation. | N/A | YES |
successUrl |
Where to send the user agent after successful token validation | N/A |
YES |
redirectUri |
URL used when communicating with the OP. | N/A |
YES |
secret |
The client secret used validating the token | N/A |
YES |
clientId |
Id of the client used when communicating with the OP | N/A |
YES |
usernameAttribute |
Value considered as username in the returned item from validation pipe. | sub | YES |
scope | The oidc scope sent to the OP | openid |
No |
opId |
Internal id of the OP to use | N/A | Yes |
executeUserInfoLookup |
If to perform a user info lookup in addition. https://openid.net/specs/openid-connect-core-1_0.html#UserInfo Requires the op exposing a user_info url in discovery data. Response from discovery will be sent in to the pipe in parameter "user_info". |
false | No |
usePKCE |
Whether or not to use PKCE | false | No |
login_hint | The login_hint sent to the OP | N/A | No |
Requirements
The pipe executed MUST respond with one item.