Skip to Content

OpenID Connect security provider in Jitterbit App Builder

The OpenID Connect security provider enables support for OpenID Connect 1.0. The security provider is capable of both authenticating users and authorizing web service requests.

The following data source types support OpenID Connect:

  • REST

  • OData

  • RDBMS (limited to supported CData providers)

Configuration

The OpenID Connect security provider supports the OpenID Connect Discovery protocol.

At a minimum, OpenID Connect requires:

  • Client credentials (client_id and client secret).

  • OpenID Connect Issuer endpoint.

Authentication

The authentication properties determine the OAuth grant and authentication schemes.

  • Authentication Type: OpenID Connect.

  • Token Owner: Determines whether tokens are issued to individual users or to the client system. Options include:

    • User: Tokens are issued to individual users.

    • Client: Tokens are issued to the client system.

  • Token Delete On Sign Out: When enabled, App Builder deletes the stored token when the user logs out. Default: Disabled.

Endpoints

Type Description
OpenID Connect Issuer The Issuer endpoint is used to resolve the Discovery endpoint and validate the security token. The Discovery document will be retrieved from the path /.well-known/openid-configuration beneath the Issuer endpoint.

Properties

The OpenID Connect security provider supports the following additional parameters:

Parameter Default
ExpiresIn Access token expiry in seconds. Can be used if the token endpoint does not provide an expiry and the the resource server does not return a 401 Unauthorized response when the access token has expired.
LogPII False Indicates that personally identifiable information (PII) should be logged. This setting takes effect on startup.
ReplaceIssuerTenantId False Indicates whether the issuer should be transformed, replacing the tenant ID placeholder with a claim value. This is a compatibility shim for Microsoft issuers which may contain a {tenantid} placeholder.
Scopes openid profile Whitespace delimited list of OpenID Connect scopes.
RefreshRequiresScopes False Indicates whether the scopes (scope) should be included in the request body sent to the token endpoint when refreshing the access token.

Claims

OpenID Connect security tokens are JSON Web Tokens (JWT). JWTs consist of a collection of claims. The standard OpenID Connect claims are documented here:

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

The following table describes the default claim mappings:

Identifier Purpose Description
sub Name Identifier Unique, immutable identifier used to map the third-party identity to an App Builder user.
preferred_username Name User name.
name Full Name Full name.
nickname Display Name Friendly name.
email Email Address Email address.
phone_number Phone Number Phone number.