Security Provider - OpenID Connect¶
The OpenID Connect security provider enables support for OpenID Connect 1.0. The security provider is capable of both authenticating users and authorizing web service requests.
The following data source types support OpenID Connect:
- REST
- OData
- RDBMS (limited to supported CData providers)
Configuration¶
The OpenID Connect security provider supports the OpenID Connect Discovery protocol.
At a minimum, OpenID Connect requires:
- Client credentials (client_id and client secret)
- OpenID Connect Issuer endpoint
Authentication¶
The authentication properties determine the OAuth grant and authentication schemes.
- Authentication Type: OpenID Connect
- Token Owner: Determines whether tokens are issued to individual users or to the client system. Options include:
- User - Tokens are issued to individual users.
- Client - Tokens are issued to the client system.
- Token Delete On Sign Out: When enabled, Vinyl deletes the stored token when the user logs out. Default: Disabled. Version: 3.3.34523+.
Endpoints¶
| Type | Description |
|---|---|
| OpenID Connect Issuer | The Issuer endpoint is used to resolve the Discovery endpoint and validate the security token. The Discovery document will be retrieved from the path /.well-known/openid-configuration beneath the Issuer endpoint. |
Properties¶
The OpenID Connect security provider supports the following additional parameters:
| Parameter | Default | Example | |
|---|---|---|---|
| ExpiresIn | 3600 | Access token expiry in seconds. Can be used if the token endpoint does not provide an expiry and the the resource server does not return a 401 Unauthorized response when the access token has expired. | |
| LogPII | False | Indicates that personally identifiable information (PII) should be logged. This setting takes effect on startup. | |
| ReplaceIssuerTenantId | False | Indicates whether the issuer should be transformed, replacing the tenant ID placeholder with a claim value. This is a compatibility shim for Microsoft issuers which may contain a {tenantid} placeholder. | |
| Scopes | openid profile | Whitespace delimited list of OpenID Connect scopes. |
Claims¶
OpenID Connect security tokens are JSON Web Tokens (JWT). JWTs consist of a collection of claims. The standard OpenID Connect claims are documented here:
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
The following table describes the default claim mappings:
| Identifier | Purpose | Description |
|---|---|---|
| sub | Name Identifier | Unique, immutable identifier used to map the third-party identity to a Vinyl user. |
| preferred_username | Name | User name. |
| name | Full Name | Full name. |
| nickname | Display Name | Friendly name. |
| Email Address | Email address. | |
| phone_number | Phone Number | Phone number. |