Implicit Flow

Authenticator handling implicit flows in OIDC.

About

No identification is done by this authenticator. It acts as a controller for issuing Json Web Tokens (JWT). Typically this authenticator is the first point of contact coming from an OpenID Connect Relying Party, requesting identification.

This authentication controller can be considered a start and end touch point. The main purpose is to handle OpenID Connect specifics.

Actual user identification is done elsewhere.

When using this authenticator, the ID token is returned in the response.

Configuration

Authenticator Type: OIDCImplicitFlow

Common Authenticator configuration can be found here.

Name

Description

Default value

Mandatory

{
    "id": "oidcimplicit",
    "type": "OIDCImplicitFlow",
    "config": {
        "base_path": "/test/authn",
        "failure_location": "/authn/failure.html",
        "required_authenticators": [
            "auth_selector"
        ],
        "userinfo_endpoint_ttl" : 90000,
        "required_request_parameters": ["response_type", "client_id", "redirect_uri", "scope", "nonce"],
        "keystore" : {
            "path" : "/fortified_test/keystore.p12",
            "password" : "secret",
            "type" : "PKCS12"
        },
        "sign_jwt_keystore_password" : "secret",
        "sign_jwt_keystore_alias" : "jwt",
        "rps" : [ {
            "client_id" : "provided",
            "client_secret" : "provided",
            "redirect_uri" : ["https://auth.organisation.com/authenticate/oidcrp"],
            "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"],
            "pipe_id" : "optional_pipe_id",
            "jwt_headers" : {
                "kid" : ""
            },
            "jwt_claims" : {
                "secret_id": "{{{session.id}}}",
                "test_claim": "static_claim",
                "email": "{{{item.mail}}}",
                "nonce": "{{{request.nonce}}}"
            },
            "userinfo_claims" : {
                "secret_id": "{{{session.id}}}",
                "userinfo_claim_test": "static_claim",
                "email": "{{{item.mail}}}",
                "email_verified": true,
                "address": {
                    "street_address": "my address", 
                    "postal_code": "my postal code"
                },
                "given_name": "{{{item.givenName}}}",
                "subject": "{{{item.subject}}}"
            }
        }]
    }
}

Relying party Configuration

"rps" : [{
    "client_id" : "provided",
    "client_secret" : "provided",
    "redirect_uri" : ["https://auth.organisation.com/authenticate/oidcrp"],
    "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"],
    "pipe_id" : "optional_pipe_id",
    "jwt_headers" : {
        "kid" : ""
    },
    "jwt_claims" : {
        "secret_id": "{{{session.id}}}",
        "test_claim": "static_claim",
        "email": "{{{item.mail}}}",
        "nonce": "{{{request.nonce}}}"
    },
    "userinfo_claims" : {
        "secret_id": "{{{session.id}}}",
        "userinfo_claim_test": "static_claim",
        "email": "{{{item.mail}}}",
        "email_verified": true,
        "address": {
            "street_address": "my address", 
            "postal_code": "my postal code"
        },
        "given_name": "{{{item.givenName}}}",
        "subject": "{{{item.subject}}}"
    }
}]

Logging

On a successful authentication, an event is logged containing the following:

WEB_100101
IDENTIFIER (user traceid)
DESTINATION_SERVICE_NAME (redirect URI)
SOURCE_ADDRESS (user IP address)

Data sent to PIPE

All data put into the shared authentication state along with the HTTP headers are exposed and sent into the pipe.

Data put into the state by this authenticator is:

OIDC request data

Expected data from PIPE

In order to use data from PIPE the response must contain one item. All data from that item will be available when creating the ID token and access token.

PreviousAuthorization Code Flow NextOIDC Relying Party

Last updated 8 months ago

About

This authentication controller can be considered a start and end touch point. The main purpose is to handle OpenID Connect specifics.

Actual user identification is done elsewhere.

When using this authenticator, the ID token is returned in the response.

Configuration

Authenticator Type: OIDCImplicitFlow

Common Authenticator configuration can be found here.

Name

Description

Default value

Mandatory

{
    "id": "oidcimplicit",
    "type": "OIDCImplicitFlow",
    "config": {
        "base_path": "/test/authn",
        "failure_location": "/authn/failure.html",
        "required_authenticators": [
            "auth_selector"
        ],
        "userinfo_endpoint_ttl" : 90000,
        "required_request_parameters": ["response_type", "client_id", "redirect_uri", "scope", "nonce"],
        "keystore" : {
            "path" : "/fortified_test/keystore.p12",
            "password" : "secret",
            "type" : "PKCS12"
        },
        "sign_jwt_keystore_password" : "secret",
        "sign_jwt_keystore_alias" : "jwt",
        "rps" : [ {
            "client_id" : "provided",
            "client_secret" : "provided",
            "redirect_uri" : ["https://auth.organisation.com/authenticate/oidcrp"],
            "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"],
            "pipe_id" : "optional_pipe_id",
            "jwt_headers" : {
                "kid" : ""
            },
            "jwt_claims" : {
                "secret_id": "{{{session.id}}}",
                "test_claim": "static_claim",
                "email": "{{{item.mail}}}",
                "nonce": "{{{request.nonce}}}"
            },
            "userinfo_claims" : {
                "secret_id": "{{{session.id}}}",
                "userinfo_claim_test": "static_claim",
                "email": "{{{item.mail}}}",
                "email_verified": true,
                "address": {
                    "street_address": "my address", 
                    "postal_code": "my postal code"
                },
                "given_name": "{{{item.givenName}}}",
                "subject": "{{{item.subject}}}"
            }
        }]
    }
}

Relying party Configuration

Name

Description

Default value

Mandatory

"rps" : [{
    "client_id" : "provided",
    "client_secret" : "provided",
    "redirect_uri" : ["https://auth.organisation.com/authenticate/oidcrp"],
    "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"],
    "pipe_id" : "optional_pipe_id",
    "jwt_headers" : {
        "kid" : ""
    },
    "jwt_claims" : {
        "secret_id": "{{{session.id}}}",
        "test_claim": "static_claim",
        "email": "{{{item.mail}}}",
        "nonce": "{{{request.nonce}}}"
    },
    "userinfo_claims" : {
        "secret_id": "{{{session.id}}}",
        "userinfo_claim_test": "static_claim",
        "email": "{{{item.mail}}}",
        "email_verified": true,
        "address": {
            "street_address": "my address", 
            "postal_code": "my postal code"
        },
        "given_name": "{{{item.givenName}}}",
        "subject": "{{{item.subject}}}"
    }
}]