This authenticator delegates the authentication to a trusted (internal or external) OIDC OP. It authenticates by sending an authentication request to that OP and then validating the id_token. This authenticator currently only supports Authorization Code Flow. 

Configuring the authenticator

Before enabling the authenticator ensure that phenix-oidc-discovery module is enabled and that the right OIDC OP has been configured for discovery. This is important and required even if the target OP is internal.

Default value
pipe id of the pipe used for id token validation. N/A YES
rpID Internal ID of the OIDC Relying party to use N/A
Value considered as username in the returned item from validation pipe. sub YES
scope The oidc scope sent to the OP  openid
Internal id of the OP to use N/A Yes
If to perform a user info lookup in addition.
Requires the op exposing a user_info url in discovery data. Response from discovery will be sent in to the pipe in parameter  "user_info".
false No
Whether or not to use PKCE true No
useNonce Whether or not to use Nonce true No
loginHint The login_hint sent to the OP (EXPANDABLE) N/A No
acrValues The acr_values sent to the OP (EXPANDABLE) N/A No
The redirect URL to use. Normally, the current URL will be sent as redirect url (since the URL will be different depending on the protocol entrypoint, or IDP), but that will be overridden if this property is set.

Note that if this option is set, the authenticator will only function for that protocol and IDP ID.
N/A No

Example configuration

  "id" : "6b216eaa-fd5b-49c2-ae86-f809a348c24e",
  "alias" : "rpbroker",
  "name" : "RPBroker",
  "displayName" : "rpbroker",
  "configuration" : {
    "pipeID" : "bb386174-090e-439b-81bb-ea19be41c6cf",
    "opID" : "my_oidc_op_id_2",
    "rpID" : "broker",
    "usePKCE" : "true",
    "useNonce" : "true",
    "doUserInfoLookup" : "false",
    "usernameAttribute" : "sub",
    "loginHint" : "{{session.userSource}}",
    "acrValues" : ["myacrValue1", "{{request.myacrValue2}}"]
  "created" : "2023-12-08T09:44:50.897Z"
Click to copy


The pipe executed MUST respond with one item. The phenix-oidc-discovery module must be enabled so that the OIDC OP's endpoints can be saved and used for the authentication. This is required even if the target OP is internal.