OpenID Connect
Overview
OpenID Connect (OIDC) is an authentication layer that sits on top of OAuth 2.0. Infiniti supports the use of OpenID Connect to handle authentication.
Configuration
OpenID Connect configuration options are set in the appsettings.json file.
"Authentication": {
"OpenIDConnect": {
"ClientId": "...",
"ClientSecret": "...",
"Authority": "...",
"MetadataAddress": "...",
"Scope", "..."
}
}
Attributes
| Attribute | Description |
|---|---|
| ClientId | Required, Unique id that represents this application. |
| ClientSecret | Optional, shared secret to prove the request comes from right app. |
| Authority | Required, URL to redirect to the identity provider. eg. Google https://accounts.google.com/, Azure https://login.microsoftonline.com/{tenant} |
| MetadataAddress | Optional, URL to the configuration documentation. This configures the authentication. The web server must be able to request this URL. If empty the OpenId Connect standard of appending ".well-known/opened-configuration" to the "Authority" value is followed. |
| Scope | Optional, The types of claims to request from the IDP. By default only "opened" is requested. If this configuration has a value then the first value must be "openid". Other values are space delimited eg "openid profile email" |
IDP Setup
The return URL is often validated against the URL that is entered in the IDP configuration. Infiniti will set the return URL to the address the user browsed to the site on. Typically https://server/produce or http://server/manage.
OpenID Connect typically requires HTTPS to be enabled on the IDP site and Infiniti. Not having HTTPS enabled on Infiniti can cause a redirect loop.
The default claims that are supported are sub, name, email, given_name, family_name, phone_number. Others can be mapped in Manage > Settings > User Profile Mapping.
Note
AzureAD groups are not yet supported
Updated over 6 years ago