OIDC Relying Party
About
This authenticator acts as an OpenID Connect Relying Party, communicating with an external OpenID Connect Provider (OP). Supports OpenID Connect Authorization Code Flow.
Configuration
Authenticator Type: OIDCRP | OIDCAuthCodeFlowRP
Common Authenticator configuration can be found here.
Name | Description | Default value | Mandatory |
---|---|---|---|
| URL to the external OP. | N/A | |
| ID of the internal http client used to communicate with the external OP. | N/A | |
| Custom identifier to be set inte the event logging entry | N/A | |
| Client id used when communicating with the OP. | N/A | |
| Client secret used when communicating with the OP token endpoint. | N/A | |
| Redirect URI used when communicating with the OP. | N/A | |
| OIDC scope used when communicating with the OP. |
| |
| If userinfo endpoint should be contacted. (The userinfo endpoint must also be part of the discovery metadata) |
| |
| JWT parameter used as subject/username. |
| |
| If the collected claims should be presented "raw" on the global state object. Otherwise the claims will be "stringified". |
| |
| Prefix to use for the id_token header claims. |
| |
| Prefix to use for the id_token payload claims. |
| |
| Prefix to use for the userinfo claims. |
| |
| Disables sending nonce as part of the requests. |
|
Logging
On a successful authentication, an event is logged containing the following:
WEB_100021
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (issuer from metadata)
SOURCE_USER_NAME (
jwt_subject_parameter
from any of the claims)SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (
custom_identifier
if configured)
Data exposed to global state
After successful validation, data stored in the global state are:
id_token header claims
id_token payload claims
userinfo claims