/
Identity provider - OpenID Connect

Identity provider - OpenID Connect

Sept 28, 2022

Available in 9.7.6 and later

Overview

OpenID Connect is an open standard identity layer on top of the OAuth 2.0 protocol, it allows third-party applications to verify the identity of the end-user and to obtain basic user profile information. The Verba system only utilizes the Login ID of the authenticated user.

Verba supports the Authorization Code Flow:

  1. The user opens the Verba web interface and types the Login ID

  2. The Verba web interface offers the OpenID Connect authentication

  3. The user chooses the OpenID Connect and the browser is redirected to the Authorization Server

  4. The user authenticates itself and is redirected back to the Verba web interface with the Authorization Code

  5. The Verba back-end requests an ID Token using the Authorization Code at the Token Endpoint

  6. The Verba Web Application validates the ID Token and the user is logged into the application

Configuration

 

Item

 Description

Item

 Description

Client ID

The Verba web interface will use this Client ID to request the ID Token

Client Secret

The Verba web interface will use this Client Secret to request the ID Token

Authentication Request URL

The Authorization Server URL

Authentication Request - response_type parameter

Usually should be set to "code"

Authentication Request - scope parameter

Usually should be set to "openid"

Authentication Request - login hint parameter name

Login Hint parameter name that will be passed to the Authorization Server (optional)

Token Request URL

The Token Request URL

Token Request - grant_type parameter

Usually should be set to "authorization_code"

Token Request - Authentication

The authentication method of the Token Request (BASIC or POST body parameters)

ID Token Attribute

Which ID Token Attribute should be used to look up the Verba user (usually "sub")

Verify the state parameter

Should the "state" parameter be passed and verified in the response?
All modern OpenID Connect providers should support the state parameter

Verify the nonce claim

Should the "nonce" parameter be passed and verified in the token?
All modern OpenID Connect providers should support the state parameter

Authorization Endpoint HTTPS Certificate

Only set if the Authorization Endpoint's HTTPS Certificate is not trusted by Java running the Verba web application