/
Identity provider - OpenID Connect

Identity provider - OpenID Connect

Mar 03, 2023

AVAILABLE IN 9.7.6 AND LATER

Overview

OpenID Connect is an open standard identity layer on top of the OAuth 2.0 protocol, it allows third-party applications to verify the identity of the end-user and to obtain basic user profile information. The Verba system only utilizes the Login ID of the authenticated user.

Verba supports the Authorization Code Flow:

  1. The user opens the Verba web interface and types the Login ID

  2. The Verba web interface offers the OpenID Connect authentication
  3. The user chooses the OpenID Connect and the browser is redirected to the Authorization Server
  4. The user authenticates itself and is redirected back to the Verba web interface with the Authorization Code

  5. The Verba back-end requests an ID Token using the Authorization Code at the Token Endpoint

  6. The Verba Web Application validates the ID Token and the user is logged into the application

Configuration


Item Description
Client ID
The Verba web interface will use this Client ID to request the ID Token
Client Secret
The Verba web interface will use this Client Secret to request the ID Token
Authentication Request URL

The Authorization Server URL

Authentication Request - response_type parameterUsually should be set to "code"
Authentication Request - scope parameterUsually should be set to "openid"
Authentication Request - login hint parameter name
Login Hint parameter name that will be passed to the Authorization Server (optional)

Token Request URL

The Token Request URL

Token Request - grant_type parameterUsually should be set to "authorization_code"
Token Request - AuthenticationThe authentication method of the Token Request (BASIC or POST body parameters)
ID Token AttributeWhich ID Token Attribute should be used to look up the Verba user (usually "sub")
Verify the state parameter

Should the "state" parameter be passed and verified in the response?
All modern OpenID Connect providers should support the state parameter

Verify the nonce claim

Should the "nonce" parameter be passed and verified in the token?
All modern OpenID Connect providers should support the state parameter

Authorization Endpoint HTTPS CertificateOnly set if the Authorization Endpoint's HTTPS Certificate is not trusted by Java running the Verba web application