Relying Party
Note: There are two sections related to the OIDC Relying Party. This section describes when Fortified ID Access acts as an OIDC OpenID Provider (OP). If you are looking for information about when Access acts as an OIDC Relying Party (RP) against an external OIDC Provider, click the following link.
Relying party Configuration
app_tag
JsonArray containing strings used for filtering and similar operations.
N/A
client_id
Unique identifier for the client (Relying Party).
N/A
client_secret
Secret shared with the OP, used for token endpoint authentication.
N/A
redirect_uri
List of allowed redirect URIs to which the OP may send authorization responses. Must match exactly what the client requests.
N/A
post_logout_redirect_uris
List of URIs the user may be redirected to after logout (front-channel logout).
N/A
pipe_id
Pipe reference. Pipe is run directly after user authentication. Use to transform or enrich token content.
N/A
id_token_headers
Optional JOSE header parameters to include in issued ID Tokens.
N/A
id_token_claims
JSON map of custom claims to include in the ID Token payload.
N/A
access_token_headers
Optional JOSE headers for JWT access tokens (if enabled).
N/A
access_token_claims
Custom claims added to the JWT access token payload.
N/A
userinfo_claims
Claims to be fetched from the userinfo endpoint when access token is of opaque type. If NOT configured, access_token_claims will be used.
N/A
refresh_token_persist_pipe_id
Pipe to send the refresh token to. It is up to the administrator to decide what the pipe will do.
N/A
refresh_token_resolve_pipe_id
Pipe to load/resolve a refresh token. The pipe should also create and persist a new refresh token.
N/A
userinfo_pipe_id
Used to generate userinfo data when incoming access tokens is of JWT type.
N/A
client_credentials_pipe_id
Pipe to issue an access token when using the client_credentials grant. The client_credentials grant lets a client authenticate itself and obtain an access token to call APIs on its own behalf, without any end-user involved. Machine to machine.
N/A
"rps" : [{
"client_id" : "provided",
"client_secret" : "provided",
"redirect_uri" : ["https://auth.organisation.com/authenticate/oidcrp"],
"post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"],
"pipe_id" : "optional_pipe_id",
"app_tag":["app1","app2"]
"id_token_headers" : {
},
"id_token_claims" : {
"email": "${item.mail}",
"sub": "${exports.subject}"
},
"access_token_headers" : {
"typ": "at+jwt"
},
"access_token_claims" : {
"custom_claim": "static_claim",
"sub": "${exports.subject}"
},
"userinfo_claims": {
"sub": "${exports.subject}",
"name": "${item.name}",
"given_name": "${item.givenName}",
"family_name": "${item.familyName}",
"email": "${item.mail}",
"email_verified": true
}
}]Last updated