Implicit Flow

Authenticator handling implicit flows in OIDC.

There are two locations where configuration for an OIDC OpenID Provider (OP) using the Implicit Flow can be managed:

Authorization Endpoint – You can modify the authorization endpoint settings here.
Back-Channel Endpoints – By clicking the following link, you can manage back-channel endpoints such as UserInfo.

About

No identification is done by this authenticator. It acts as a controller for issuing Json Web Tokens (JWT). Typically this authenticator is the first point of contact coming from an OpenID Connect Relying Party, requesting identification.

This authentication controller can be considered a start and end touch point. The main purpose is to handle OpenID Connect specifics.

Actual user identification is done elsewhere.

When using this authenticator, the ID token is returned in the response.

Configuration

Authenticator Type: OIDCImplicitFlow

Common Authenticator configuration can be found here.

Name

Description

Default value

Mandatory

chain

List of authenticators performing the actual authentication.

N/A

userinfo_endpoint_ttl

User info (endpoint) time to live in millisesonds.

60000

keystore

Keystore reference or json object . Used for JWT signing. If no alias is configured, the first alias will be used.

N/A

rps

List of relying parties. Must include at least one relying party.

N/A

required_request_parameters

Required parameters.

["response_type", "client_id", "redirect_uri", "scope", "nonce"]

{
    "id": "auth00",
    "type": "OIDCImplicitFlow",
    "config": {
        "base_path": "/test/authn",
        "failure_location": "/authn/failure.html",
        "chain": [{
            "id" : "select",
            "required" : true
        }],
        "userinfo_endpoint_ttl" : 90000,
        "required_request_parameters": ["response_type", "client_id", "redirect_uri", "scope", "nonce"],
        "keystore" : {
            "path" : "/fortified_test/keystore.p12",
            "password" : "secret",
            "alias": "jwt",
            "type" : "PKCS12"
        },
        "rps" : [ {
            "client_id" : "provided",
            "client_secret" : "provided",
            "redirect_uri" : ["https://auth.organisation.com/authenticate/oidcrp"],
            "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"],
            "pipe_id" : "optional_pipe_id",
            "id_token_headers" : {
                "kid" : ""
            },
            "id_token_claims" : {
                "test_claim": "static_claim",
                "email": "${item.mail}",
                "nonce": "${request.nonce}"
            },
            "access_token_claims" : {
                "userinfo_claim_test": "static_claim",
                "email": "${item.mail}",
                "email_verified": true,
                "address": {
                    "street_address": "my address", 
                    "postal_code": "my postal code"
                },
                "given_name": "${item.givenName}",
                "subject": "${item.subject}"
            }
        }]
    }
}

Logging

On a successful authentication, an event is logged containing the following:

WEB_100101
IDENTIFIER (user traceid)
DESTINATION_SERVICE_NAME (redirect URI)
SOURCE_ADDRESS (user IP address)

Data sent to PIPE

All data put into the shared authentication state along with the HTTP headers are exposed and sent into the pipe.

Data put into the state by this authenticator is:

OIDC request data

Expected data from PIPE

In order to use data from PIPE the response must contain one item. All data from that item will be available when creating the ID token and access token.

PreviousAuthorization Code Flow NextOIDC Relying Party

Last updated 8 days ago