OIDC Relying Party

About

This authenticator acts as an OpenID Connect Relying Party, communicating with an external OpenID Connect Provider (OP). Supports OpenID Connect Authorization Code Flow.

Configuration

Authenticator Type: OIDCRP | OIDCAuthCodeFlowRP

Common Authenticator configuration can be found here.

Name
Description
Default value
Mandatory

discovery_metadata_url

URL to the external OP.

N/A

internal_http_destination

ID of the internal http client used to communicate with the external OP.

N/A

custom_identifier

Custom identifier to be set inte the event logging entry

N/A

client_id

Client id used when communicating with the OP.

N/A

client_secret

Client secret used when communicating with the OP token endpoint.

N/A

redirect_uri

Redirect URI used when communicating with the OP.

N/A

scope

OIDC scope used when communicating with the OP.

"openid"

enable_user_info_lookup

If userinfo endpoint should be contacted. (The userinfo endpoint must also be part of the discovery metadata)

true

jwt_subject_parameter

JWT parameter used as

subject/username.

"sub"

use_raw_claims

If the collected claims should be presented "raw" on the global state object. Otherwise the claims will be "stringified".

false

id_token_header_prefix

Prefix to use for the id_token header claims.

""

id_token_payload_prefix

Prefix to use for the id_token payload claims.

""

userinfo_prefix

Prefix to use for the userinfo claims.

""

disable_nonce

Disables sending nonce as part of the requests.

false

Logging

On a successful authentication, an event is logged containing the following:

  • WEB_100021

  • IDENTIFIER (user traceid)

  • SOURCE_SERVICE_NAME (issuer from metadata)

  • SOURCE_USER_NAME (jwt_subject_parameter from any of the claims)

  • SOURCE_ADDRESS (user IP address)

  • CUSTOMER_IDENTIFIER (custom_identifier if configured)

Data exposed to global state

After successful validation, data stored in the global state are:

  • id_token header claims

  • id_token payload claims

  • userinfo claims