Implicit Flow

Authenticator handling implicit flows in OIDC.

About

No identification is done by this authenticator. It acts as a controller for issuing Json Web Tokens (JWT). Typically this authenticator is the first point of contact coming from an OpenID Connect Relying Party, requesting identification.

This authentication controller can be considered a start and end touch point. The main purpose is to handle OpenID Connect specifics.

Actual user identification is done elsewhere.

When using this authenticator, the ID token is returned in the response.

Configuration

Authenticator Type: OIDCImplicitFlow

Common Authenticator configuration can be found here.

Name Description Default value Mandatory

Name	Description	Default value
`required_authenticators`	List of authenticators performing the actual authentication.	N/A
`userinfo_endpoint_ttl`	Access token time to live in millisesonds.	`60000`
`keystore`	Keystore reference or json object containing key store configuration. Used for JWT signing.	N/A
`sign_jwt_keystore_password`	Keystore password.	N/A
`sign_jwt_keystore_alias`	Keystore alias.	N/A
`rps`	List of relying parties. Must include at least one relying party.	N/A
`required_request_parameters`	Required parameters.	`["response_type", "client_id", "redirect_uri", "scope", "nonce"]`

required_authenticators

List of authenticators performing the actual authentication.

N/A

userinfo_endpoint_ttl

Access token time to live in millisesonds.

60000

keystore

Keystore reference or json object containing key store configuration. Used for JWT signing.

N/A

sign_jwt_keystore_password

Keystore password.

N/A

sign_jwt_keystore_alias

Keystore alias.

N/A

rps

List of relying parties. Must include at least one relying party.

N/A

required_request_parameters

Required parameters.

["response_type", "client_id", "redirect_uri", "scope", "nonce"]

{
    "id": "auth00",
    "type": "OIDCImplicitFlow",
    "config": {
        "base_path": "/test/authn",
        "failure_location": "/authn/failure.html",
        "required_authenticators": [{
            "id" : "auth01",
            "required" : true
        }],
        "userinfo_endpoint_ttl" : 90000,
        "required_request_parameters": ["response_type", "client_id", "redirect_uri", "scope", "nonce"],
        "keystore" : {
            "path" : "/fortified_test/keystore.p12",
            "password" : "secret",
            "type" : "PKCS12"
        },
        "sign_jwt_keystore_password" : "secret",
        "sign_jwt_keystore_alias" : "jwt",
        "rps" : [ {
            "client_id" : "provided",
            "client_secret" : "provided",
            "redirect_uri" : ["https://auth.organisation.com/authenticate/oidcrp"],
            "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"],
            "pipe_id" : "optional_pipe_id",
            "jwt_headers" : {
                "kid" : ""
            },
            "jwt_claims" : {
                "secret_id": "{{{session.id}}}",
                "test_claim": "static_claim",
                "email": "{{{item.mail}}}",
                "nonce": "{{{request.nonce}}}"
            },
            "userinfo_claims" : {
                "secret_id": "{{{session.id}}}",
                "userinfo_claim_test": "static_claim",
                "email": "{{{item.mail}}}",
                "email_verified": true,
                "address": {
                    "street_address": "my address", 
                    "postal_code": "my postal code"
                },
                "given_name": "{{{item.givenName}}}",
                "subject": "{{{item.subject}}}"
            }
        }]
    }
}

Relying party Configuration

Name Description Default value Mandatory

Name	Description	Default value
`client_id`	Used for identifying and authenticating the client.	N/A
`client_secret`	Used for identifying and authenticating the client.	N/A
`redirect_uri`	Redirect location where the authorization code or JWT should be sent.	N/A
`post_logout_redirect_uris`	Redirect location after logout.	N/A
`pipe_id`	Pipe reference. Pipe is run after user authentication. Used for collecting user data.	N/A
`id_token_headers`	ID token headers configured per RP. Previous parameter name `jwt_headers` is deprecated.	N/A
`id_token_claims`	ID token claims configured per RP. Previous parameter name `jwt_claims` is deprecated.	N/A
`access_token_claims`	Access Token claims configured per RP. Previous parameter name `userinfo_claims` is deprecated.	N/A

client_id

Used for identifying and authenticating the client.

N/A

client_secret

Used for identifying and authenticating the client.

N/A

redirect_uri

Redirect location where the authorization code or JWT should be sent.

N/A

post_logout_redirect_uris

Redirect location after logout.

N/A

pipe_id

Pipe reference. Pipe is run after user authentication. Used for collecting user data.

N/A

id_token_headers

ID token headers configured per RP. Previous parameter name jwt_headers is deprecated.

N/A

id_token_claims

ID token claims configured per RP. Previous parameter name jwt_claims is deprecated.

N/A

access_token_claims

Access Token claims configured per RP. Previous parameter name userinfo_claims is deprecated.

N/A

"rps" : [{
    "client_id" : "provided",
    "client_secret" : "provided",
    "redirect_uri" : ["https://auth.organisation.com/authenticate/oidcrp"],
    "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"],
    "pipe_id" : "optional_pipe_id",
    "jwt_headers" : {
        "kid" : ""
    },
    "jwt_claims" : {
        "secret_id": "{{{session.id}}}",
        "test_claim": "static_claim",
        "email": "{{{item.mail}}}",
        "nonce": "{{{request.nonce}}}"
    },
    "userinfo_claims" : {
        "secret_id": "{{{session.id}}}",
        "userinfo_claim_test": "static_claim",
        "email": "{{{item.mail}}}",
        "email_verified": true,
        "address": {
            "street_address": "my address", 
            "postal_code": "my postal code"
        },
        "given_name": "{{{item.givenName}}}",
        "subject": "{{{item.subject}}}"
    }
}]

Logging

On a successful authentication, an event is logged containing the following:

WEB_100101
IDENTIFIER (user traceid)
DESTINATION_SERVICE_NAME (redirect URI)
SOURCE_ADDRESS (user IP address)

Data sent to PIPE

All data put into the shared authentication state along with the HTTP headers are exposed and sent into the pipe.

Data put into the state by this authenticator is:

OIDC request data

Expected data from PIPE

In order to use data from PIPE the response must contain one item. All data from that item will be available when creating the ID token and access token.

PreviousAuthorization Code Flow NextOIDC Relying Party

Last updated 8 months ago