OIDC

Acts as an OpenID Connect Provider.

Introduction

Can be configured in multiple instances allowing for multi tenancy.

Acts as an OpenID Connect provider. It acts as a controller for issuing Json Web Tokens (JWT). Typically the configured authenticator is the first point of contact coming from an OpenID Connect Relying Party, requesting identification.

Fortified Integrity have achieved certifications for five OpenID Provider conformance profiles. Read more about these profiles here: https://openid.net/certification/

OpenID Connect Provider Configuration

Module name: OIDCModule

Name Description Default value Mandatory

Name	Description	Default value
`http_context`	Base URI for the endpoints.	N/A
`http_port`	Port	N/A
`tenant_op_path`	A tenant specific path part of the endpoint URIs. Example: http://127.0.0.1:8080/oidc/tenant1/token-endpoint	N/A
`discovery_meta`	Discovery data presented at the OpenID Configuration endpoint.	N/A
`keystore`	Keystore reference or json object containing key store configuration. Used for JWT signing.	N/A
`sign_jwt_keystore_password`	Keystore password.	N/A
`sign_jwt_keystore_alias`	Keystore alias.	N/A
`rps`	List of relying parties. Must include at least one relying party.	N/A
`required_request_parameters`	Required request parameters for the token endpoint.	`["redirect_uri","code"]`
`code_verifier_hash_alg`	Hash algorithm used for Proof Key of Code Exchange (PKCE).	`"SHA-256"`
`use_refresh_token`	Set to `true` if using refresh tokens.	`false`

http_context

Base URI for the endpoints.

N/A

http_port

Port

N/A

tenant_op_path

A tenant specific path part of the endpoint URIs. Example: http://127.0.0.1:8080/oidc/tenant1/token-endpoint

N/A

discovery_meta

Discovery data presented at the OpenID Configuration endpoint.

N/A

keystore

Keystore reference or json object containing key store configuration. Used for JWT signing.

N/A

sign_jwt_keystore_password

Keystore password.

N/A

sign_jwt_keystore_alias

Keystore alias.

N/A

rps

List of relying parties. Must include at least one relying party.

N/A

required_request_parameters

Required request parameters for the token endpoint.

["redirect_uri","code"]

code_verifier_hash_alg

Hash algorithm used for Proof Key of Code Exchange (PKCE).

"SHA-256"

use_refresh_token

Set to true if using refresh tokens.

false

{
      "name": "OIDCModule",
      "enabled": true,
      "config":{
        "providers":[
            {
              "http_context" : "/oidc",
              "http_port" : 8080,
              "discovery_meta" : {
                  "issuer" : "http://192.168.50.228:8080/oidc/tenant1",
                  "authorization_endpoint" : "http://192.168.50.228:8080/test/authn/oidc",
                  "token_endpoint" : "http://192.168.50.228:8080/oidc/tenant1/token-endpoint",
                  "userinfo_endpoint" : "http://192.168.50.228:8080/oidc/tenant1/userinfo-endpoint",
                  "introspection_endpoint" : "http://192.168.50.228:8080/oidc/tenant1/introspection-endpoint",
                  "jwks_uri" : "http://192.168.50.228:8080/oidc/tenant1/.well-known/openid-configuration/jwks",
                  "end_session_endpoint" : "http://192.168.50.228:8080/test/authn/oidc/logout",
                  "scopes_supported" : [ "openid" ],
                  "response_types_supported" : [ "code" ],
                  "grant_types_supported" : [ "authorization_code" ],
                  "subject_types_supported" : [ "public" ],
                  "id_token_signing_alg_values_supported" : [ "RS256" ],
                  "token_endpoint_auth_methods_supported" : [ "client_secret_post", "client_secret_basic" ],
                  "claims_supported" : [ "iss", "ver", "sub", "given_name", "family_name" ],
                  "request_parameter_supported" : true
              },
              "tenant_op_path" : "/tenant1",
              "keystore" : {
                    "path" : "/fortified_test/keystore.p12",
                    "password" : "secret",
                    "type" : "PKCS12"
              },
              "sign_jwt_keystore_password" : "secret",
              "sign_jwt_keystore_alias" : "jwt",
              "rps" : [{
                    "client_id" : "provided",
                    "client_secret" : "provided",
                    "pipe_id":"optional_pipe_id",
                    "redirect_uri" : [ "https://auth.organisation.com/authenticate/oidcrp" ],
                    "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"]
              }]
        }]
      }
}

Relying party Configuration

Name Description Default value Mandatory

Name	Description	Default value
`client_id`	Used for identifying and authenticating the client.	N/A
`client_secret`	Used for identifying and authenticating the client.	N/A
`pipe_id`	Pipe reference. Pipe is run after user authentication. Used for collecting user data.	N/A
`redirect_uri`	Redirect location where the authorization code or JWT should be sent.	N/A
`post_logout_redirect_uris`	Redirect location after logout.	N/A

client_id

Used for identifying and authenticating the client.

N/A

client_secret

Used for identifying and authenticating the client.

N/A

pipe_id

Pipe reference. Pipe is run after user authentication. Used for collecting user data.

N/A

redirect_uri

Redirect location where the authorization code or JWT should be sent.

N/A

post_logout_redirect_uris

Redirect location after logout.

N/A

"rps" : [
    {
        "client_id" : "provided_1",
        "client_secret" : "provided_1",
        "pipe_id":"optional_pipe_id_1",
        "redirect_uri" : [ "https://auth.organisation.com/authenticate/oidcrp" ],
        "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"]
    },
    {
        "client_id" : "provided_2",
        "client_secret" : "provided_2",
        "pipe_id":"optional_pipe_id_2",
        "redirect_uri" : [ "https://auth.organisation.com/authenticate/oidcrp" ],
        "post_logout_redirect_uris" : ["https://auth.organisation.com/authenticate/oidcrp/loggedout"]
    }
]

PreviousSAMLModule NextOpenID Configuration endpoint

Last updated 6 months ago