Skip to Content

Security provider - OpenID Connect

The OpenID Connect security provider enables support for OpenID Connect 1.0. The security provider is capable of both authenticating users and authorizing web service requests.

The following data source types support OpenID Connect:

  • REST
  • OData
  • RDBMS (limited to supported CData providers)


The OpenID Connect security provider supports the OpenID Connect Discovery protocol.

At a minimum, OpenID Connect requires:

  • Client credentials (client_id and client secret)
  • OpenID Connect Issuer endpoint


The authentication properties determine the OAuth grant and authentication schemes.

  • Authentication Type: OpenID Connect
  • Token Owner: Determines whether tokens are issued to individual users or to the client system. Options include:
    • User - Tokens are issued to individual users.
    • Client - Tokens are issued to the client system.
  • Token Delete On Sign Out: When enabled, Vinyl deletes the stored token when the user logs out. Default: Disabled. Version: 3.3.34523+.


Type Description
OpenID Connect Issuer The Issuer endpoint is used to resolve the Discovery endpoint and validate the security token. The Discovery document will be retrieved from the path /.well-known/openid-configuration beneath the Issuer endpoint.


The OpenID Connect security provider supports the following additional parameters:

Parameter Default Example
ExpiresIn 3600 Access token expiry in seconds. Can be used if the token endpoint does not provide an expiry and the the resource server does not return a 401 Unauthorized response when the access token has expired.
LogPII False Indicates that personally identifiable information (PII) should be logged. This setting takes effect on startup.
ReplaceIssuerTenantId False Indicates whether the issuer should be transformed, replacing the tenant ID placeholder with a claim value. This is a compatibility shim for Microsoft issuers which may contain a {tenantid} placeholder.
Scopes openid profile Whitespace delimited list of OpenID Connect scopes.


OpenID Connect security tokens are JSON Web Tokens (JWT). JWTs consist of a collection of claims. The standard OpenID Connect claims are documented here:

The following table describes the default claim mappings:

Identifier Purpose Description
sub Name Identifier Unique, immutable identifier used to map the third-party identity to a Vinyl user.
preferred_username Name User name.
name Full Name Full name.
nickname Display Name Friendly name.
email Email Address Email address.
phone_number Phone Number Phone number.