How to configure PhenixID Authentication Services as an OpenIDConnect Provider (OP) - using Authorization Code Flow

This document describes how to setup PhenixID Authentication Services as an OpenIDConnect Provider (OP) using OIDC Authorization Code Flow. It is recommeded to read through this document before you start to configure the service.

Add a keystore for signing tokens

Use this scenario to upload a keystore for token signing.

Add relying party trust configuration

- Login to Configuration Manager

- Click Advanced

- Click the pen to the right of OIDC_RP

- Add the relying party configuration. Example:

{
		"id": "myApp",
		"name": "MyApp OpenID Connect RP",
		"displayName": "MyApp Relying Party",
		"password": "password",
		"allowedRedirects": [
			"https://demo.phenixid.net/myApp/myapp.html"
		]
	}

 Parameters explained:

 

Parameters explained

Name Description
id The id of the relying party. (client_id)
name Name of relying party
displayName Display name of relying party
password Client password (client_secret)
allowedRedirects One or more allowed urls (redirect_uri)

Add authorization endpoint

Add the authorization endpoint by adding an HTTP authenticator of type OIDC. A list of OIDC authenticators can be found here.

In this example, a PhenixID OneTouch authenticator has been used.

{
		"alias": "oidc_authz_endpoint",
		"name": "OIDCUidOneTouch",
		"configuration": {
			"pipeID": "PipeOIDCAuthorization",
			"enableHoneypot": "false",
			"allowedRP": [
				"myApp"
			]
		},
		"id": "oidc_authz_endpoint"
	}

In the example above, the authorization endpoint can be reached at https://<pas_server>/oidc/authenticate/oidc_authz_endpoint

Add authorization pipe

Add pipe for authorization.

{
		"id": "PipeOIDCAuthorization",
		"valves": [
			{
				"name": "InputParameterExistValidatorValve",
				"enabled": "true",
				"config": {
					"param_name": "username"
				}
			},
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "dummy"
				}
			},
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.session_id}}",
					"require_session": "true"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "redirect_uri",
					"value": "{{request.redirect_uri}}"
				}
			},
			{
				"name": "UUIDCreateValve",
				"enabled": "true",
				"config": {
					"name": "code"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "state",
					"value": "{{request.state}}"
				}
			},
			{
				"name": "SessionClearAllAliasValve",
				"config": {}
			},
			{
				"name": "SessionBindValve",
				"config": {
					"alias": "{{item.code}}"
				}
			},
			{
				"name": "PropertyKeepValve",
				"config": {
					"name": "redirect_uri,state,code"
				}
			}
		],
		"created": "2017-12-21T09:53:46.595Z"
	}

Add token endpoint

Enable HTTP API module

- Open Modules

- Add http authentication api module (or edit if it already exists in your configuration).

{
		"module": "com.phenixidentity~phenix-api-authenticate",
		"enabled": "true",
		"config": {
			"tenant": [
				{
					"id": "myApp",
					"displayName": "myApp RP token endpoint",
					"allowedOperation": [
						"collectJWT"
					]
				}
			]
		},
		"id": "http-auth-api"
	}

- Stage Changes, Commit Changes

- Open System nodes

- Add http-auth-api to module_refs

"module_refs": "http-auth-api,5b7efbf4-1cae-485c-811f-5bded1de0757..."

Add pipe for token creation

Add this pipe. Pipe id must correspond to "allowedOperation" used in the http api configuration. In this example, collectJWT.

Change the keystore parameter below to suite your environment.

	{
		"id": "collectJWT",
		"valves": [
			{
				"name": "SessionResolveValve",
				"config": {
					"alias": "{{request.code}}",
					"require_session": "true",
					"require_auth_session": "false"
				}
			},
			{
				"name": "SessionDumpToLog",
				"config": {}
			},
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "test"
				}
			},
         {
				"name": "OIDCTokenRequestValidationValve",
				"config": {
					
				}
			},
			{
				"name": "GenerateJWTTokenVavle",
				"config": {
					"subjectattribute": "{{session.user_id}}",
					"keystore": "e7751374-5207-4ce7-b159-de059438f32a"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "redirect_uri",
					"value": "{{request.redirect_uri}}"
				}
			},
{
				"name": "UUIDCreateValve",
				"enabled": "true",
				"config": {
					"name": "access_token"
				}
			},
	{
				"name": "SessionClearAllAliasValve",
				"config": {"_comment" : "Only needed if access_token is to be returned"}
			},
			{
				"name": "SessionBindValve",
				"config": {
					"alias": "{{item.access_token}}",
"_comment" : "Only needed if access_token is to be returned"
				}
			}
		],
		"created": "2017-11-13T09:53:46.595Z"
	}

The token endpoint can be reached at https://<pas_server>/api/authentication/collectJWT

For more information about valves used in this config, pls view this page.