OIDC Relying Party
Last updated
Last updated
This authenticator acts as an OpenID Connect Relying Party, communicating with an external OpenID Connect Provider (OP). Supports OpenID Connect Authorization Code Flow.
Authenticator Type: OIDCRP | OIDCAuthCodeFlowRP
Common Authenticator configuration can be found here.
| Name | Description | Default value | Mandatory |
|---|---|---|---|
On a successful authentication, an event is logged containing the following:
WEB_100021
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (issuer from metadata)
SOURCE_USER_NAME (jwt_subject_parameter from any of the claims)
SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (custom_identifier if configured)
After successful validation, data stored in the global state are:
id_token header claims
id_token payload claims
userinfo claims
discovery_metadata_url
URL to the external OP.
N/A
internal_http_destination
ID of the internal http client used to communicate with the external OP.
N/A
custom_identifier
Custom identifier to be set inte the event logging entry
N/A
client_id
Client id used when communicating with the OP.
N/A
client_secret
Client secret used when communicating with the OP token endpoint.
N/A
redirect_uri
Redirect URI used when communicating with the OP.
N/A
scope
OIDC scope used when communicating with the OP.
"openid"
enable_user_info_lookup
If userinfo endpoint should be contacted. (The userinfo endpoint must also be part of the discovery metadata)
true
jwt_subject_parameter
JWT parameter used as
subject/username.
"sub"
use_raw_claims
If the collected claims should be presented "raw" on the global state object. Otherwise the claims will be "stringified".
false
id_token_header_prefix
Prefix to use for the id_token header claims.
""
id_token_payload_prefix
Prefix to use for the id_token payload claims.
""
userinfo_prefix
Prefix to use for the userinfo claims.
""
disable_nonce
Disables sending nonce as part of the requests.
false