OIDC

PhenixID server can act as an OIDC OP. 

The config UI allows for simplified configuration. Supported flows are implicit flow and authorization code flow.  

Discovery

Once a scenario has been created, the OIDC discovery URL is automatically generated. 

Dependant if multiple authentication scenarios has been performed the url differs a bit. 

If only one OIDC authentication has ben set up the URL to discovery data is:

<hostname/ip_address>/.well-known/openid-configuration

When multiple authenticators are configured the URL is:

<hostname/ip_address>/<tenant_id>.well-known/openid-configuration


Customizing discovery content is done by clicking the Advanced tab -> OIDC_OP.

Token endpoint

Once a scenario has been created, a token endpoint execution flow (pipe) is created (for Authorization code flow scenarios).

This execution flow will receive the authorization code and exchange it for an id_token and an access_token.

There is also a possibility to add handling of refresh_tokens through the token endpoint (please view the solution article).

The token endpoint value (token_endpoint) is present in the OIDC discovery (see above).

Modification of the token endpoint is done by editing the Scenario->Execution flow.

UserInfo endpoint

Once a scenario has been created, a UserInfo endpoint execution flow (pipe) is created (for Authorization code flow scenarios).

Consuming the UserInfo endpoint is optional. It is up to every Relying party to decide whether to consume the UserInfo endpoint to fetch additional claims about the user. These claims are also (normally) passed in the id_token.

The UserInfo endpoint is an OAuth2 protected resource. The access_token returned from the token endpoint must be added to the request.

The UserInfo endpoint value (userinfo_endpoint) is present in the OIDC discovery (see above).

Modification of the UserInfo endpoint is done by editing the Scenario->Execution flow.