OIDC Relying Party
About
This authenticator acts as an OpenID Connect Relying Party, communicating with an external OpenID Connect Provider (OP). Supports OpenID Connect Authorization Code Flow.
Configuration
Authenticator Type: OIDCRP | OIDCAuthCodeFlowRP
Common Authenticator configuration can be found here.
discovery_metadata_url
URL to the external OP.
N/A
internal_http_destination
ID of the internal http client used to communicate with the external OP.
N/A
custom_identifier
Custom identifier to be set inte the event logging entry
N/A
client_id
Client id used when communicating with the OP.
N/A
client_secret
Client secret used when communicating with the OP token endpoint.
N/A
redirect_uri
Redirect URI used when communicating with the OP.
N/A
scope
OIDC scope used when communicating with the OP.
"openid"
enable_user_info_lookup
If userinfo endpoint should be contacted. (The userinfo endpoint must also be part of the discovery metadata)
true
jwt_subject_parameter
JWT parameter used as
subject/username.
"sub"
use_raw_claims
If the collected claims should be presented "raw" on the global state object. Otherwise the claims will be "stringified".
false
id_token_header_prefix
Prefix to use for the id_token header claims.
""
id_token_payload_prefix
Prefix to use for the id_token payload claims.
""
userinfo_prefix
Prefix to use for the userinfo claims.
""
disable_nonce
Disables sending nonce as part of the requests.
false
Logging
On a successful authentication, an event is logged containing the following:
WEB_100021
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (issuer from metadata)
SOURCE_USER_NAME (
jwt_subject_parameter
from any of the claims)SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (
custom_identifier
if configured)
Data exposed to global state
After successful validation, data stored in the global state are:
id_token header claims
id_token payload claims
userinfo claims