How to configure PhenixID Authentication Services as an OpenIDConnect Provider (OP) - using Authorization Code Flow
This document describes how to setup PhenixID Authentication Services as an OpenIDConnect Provider (OP) using OIDC Authorization Code Flow. It is recommeded to read through this document before you start to configure the service.
Add a keystore for signing tokens
Use this scenario to upload a keystore for token signing.
Add relying party trust configuration
- Login to Configuration Manager
- Click Advanced
- Click the pen to the right of OIDC_RP
- Add the relying party configuration. Example:
{
"id": "myApp",
"name": "MyApp OpenID Connect RP",
"displayName": "MyApp Relying Party",
"password": "password",
"allowedRedirects": [
"https://demo.phenixid.net/myApp/myapp.html"
]
}
Parameters explained:
Parameters explained
Name | Description |
---|---|
id | The id of the relying party. (client_id) |
name | Name of relying party |
displayName | Display name of relying party |
password | Client password (client_secret) |
allowedRedirects | One or more allowed urls (redirect_uri) |
Add authorization endpoint
Add the authorization endpoint by adding an HTTP authenticator of type OIDC. A list of OIDC authenticators can be found here.
In this example, a PhenixID OneTouch authenticator has been used.
{
"alias": "oidc_authz_endpoint",
"name": "OIDCUidOneTouch",
"configuration": {
"pipeID": "PipeOIDCAuthorization",
"enableHoneypot": "false",
"allowedRP": [
"myApp"
]
},
"id": "oidc_authz_endpoint"
}
In the example above, the authorization endpoint can be reached at https://<pas_server>/oidc/authenticate/oidc_authz_endpoint
Add authorization pipe
Add pipe for authorization.
{
"id": "PipeOIDCAuthorization",
"valves": [
{
"name": "InputParameterExistValidatorValve",
"enabled": "true",
"config": {
"param_name": "username"
}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "dummy"
}
},
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}",
"require_session": "true"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "redirect_uri",
"value": "{{request.redirect_uri}}"
}
},
{
"name": "UUIDCreateValve",
"enabled": "true",
"config": {
"name": "code"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "state",
"value": "{{request.state}}"
}
},
{
"name": "SessionClearAllAliasValve",
"config": {}
},
{
"name": "SessionBindValve",
"config": {
"alias": "{{item.code}}"
}
},
{
"name": "PropertyKeepValve",
"config": {
"name": "redirect_uri,state,code"
}
}
],
"created": "2017-12-21T09:53:46.595Z"
}
Add token endpoint
Enable HTTP API module
- Open Modules
- Add http authentication api module (or edit if it already exists in your configuration).
{
"module": "com.phenixidentity~phenix-api-authenticate",
"enabled": "true",
"config": {
"tenant": [
{
"id": "myApp",
"displayName": "myApp RP token endpoint",
"allowedOperation": [
"collectJWT"
]
}
]
},
"id": "http-auth-api"
}
- Stage Changes, Commit Changes
- Open System nodes
- Add http-auth-api to module_refs
"module_refs": "http-auth-api,5b7efbf4-1cae-485c-811f-5bded1de0757..."
Add pipe for token creation
Add this pipe. Pipe id must correspond to "allowedOperation" used in the http api configuration. In this example, collectJWT.
Change the keystore parameter below to suite your environment.
{
"id": "collectJWT",
"valves": [
{
"name": "SessionResolveValve",
"config": {
"alias": "{{request.code}}",
"require_session": "true",
"require_auth_session": "false"
}
},
{
"name": "SessionDumpToLog",
"config": {}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "test"
}
},
{
"name": "OIDCTokenRequestValidationValve",
"config": {
}
},
{
"name": "GenerateJWTTokenVavle",
"config": {
"subjectattribute": "{{session.user_id}}",
"keystore": "e7751374-5207-4ce7-b159-de059438f32a"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "redirect_uri",
"value": "{{request.redirect_uri}}"
}
},
{
"name": "UUIDCreateValve",
"enabled": "true",
"config": {
"name": "access_token"
}
},
{
"name": "SessionClearAllAliasValve",
"config": {"_comment" : "Only needed if access_token is to be returned"}
},
{
"name": "SessionBindValve",
"config": {
"alias": "{{item.access_token}}",
"_comment" : "Only needed if access_token is to be returned"
}
}
],
"created": "2017-11-13T09:53:46.595Z"
}
The token endpoint can be reached at https://<pas_server>/api/authentication/collectJWT
For more information about valves used in this config, pls view this page.