Implicit Flow
Authenticator handling implicit flows in OIDC.
About
No identification is done by this authenticator. It acts as a controller for issuing Json Web Tokens (JWT). Typically this authenticator is the first point of contact coming from an OpenID Connect Relying Party, requesting identification.
This authentication controller can be considered a start and end touch point. The main purpose is to handle OpenID Connect specifics.
Actual user identification is done elsewhere.
When using this authenticator, the ID token is returned in the response.
Configuration
Authenticator Type: OIDCImplicitFlow
Common Authenticator configuration can be found here.
Name | Description | Default value | Mandatory |
---|---|---|---|
| List of authenticators performing the actual authentication. | N/A | |
| Access token time to live in millisesonds. |
| |
| Keystore reference or json object containing key store configuration. Used for JWT signing. | N/A | |
| Keystore password. | N/A | |
| Keystore alias. | N/A | |
| N/A | ||
| Required parameters. |
|
Relying party Configuration
Name | Description | Default value | Mandatory |
---|---|---|---|
| Used for identifying and authenticating the client. | N/A | |
| Used for identifying and authenticating the client. | N/A | |
| Redirect location where the authorization code or JWT should be sent. | N/A | |
| Redirect location after logout. | N/A | |
| Pipe reference. Pipe is run after user authentication. Used for collecting user data. | N/A | |
| ID token headers configured per RP. Previous parameter name | N/A | |
| ID token claims configured per RP. Previous parameter name | N/A | |
| Access Token claims configured per RP. Previous parameter name | N/A |
Logging
On a successful authentication, an event is logged containing the following:
WEB_100101
IDENTIFIER (user traceid)
DESTINATION_SERVICE_NAME (redirect URI)
SOURCE_ADDRESS (user IP address)
Data sent to PIPE
All data put into the shared authentication state along with the HTTP headers are exposed and sent into the pipe.
Data put into the state by this authenticator is:
OIDC request data
Expected data from PIPE
In order to use data from PIPE the response must contain one item. All data from that item will be available when creating the ID token and access token.