Login
Contents x
OpenID Connect Discovery
  • 13 Feb 2025
  • Dark
    Light
  • PDF
Contents

OpenID Connect Discovery

  • Updated on 13 Feb 2025
  • Dark
    Light
  • PDF
Article summary

Alongside auth code flow and mTLS, Itential Platform 6 has implemented support for OpenID Connect ("OIDC") Discovery, an extension of OAuth 2.0 for authenticating and authorizing end-users when they login to access applications and websites. Added support for OpenID Connect Discovery facilitates connecting to an OpenID Provider by retrieving necessary configuration details, such as the authorization endpoint, token endpoint, and supported scopes.

OIDC Schema

In the securitySchemes object of an example integration model, the OpenIDConnectScheme must set the authentication type ("openIdConnect") and a discovery endpoint that points to the OIDC identity provider's publicly available URL, openIdConnectUrl.

In the example schema, the public endpoint issued by the Microsoft identity platform is shown.

{
  ...
  "components": {
    "securitySchemes": {
      "OpenIDConnectScheme": {
        "type": "openIdConnect",
        "openIdConnectUrl": "https://login.microsoftonline.com/common/.well-known/openid-configuration"
      }
    }
  }
}

IAP does not support identifying end-users via OIDC. Users must login to Itential Platform with their credentials. OIDC support in Itential Platform integrations is designed for authenticating/authorizing users with a given OAuth provider for access tokens to the relevant service.

OIDC Discovery

After creating an Integration instance, Itential Platform reaches out to the discovery endpoint (the openIdConnectUrl) and auto-populates the instance with those values. Any of these retrieved values may be overridden after instance creation; however, Itential recommends that you keep most of these values the same. A portion of a newly created integration using the Microsoft discovery endpoint from an Integration Model example is shown below (Figure 1).

Figure 1: OIDC Discovery
OIDC Integration Models

If you see an item that has Option 1 and Option 2 they correspond to a variable that was null at the discovery endpoint. Option 2 is null and Option 1 allows for any string input.

OIDC Authorization Code Grant Flow

Itential supports Authorization Code Grant Flow ("auth code flow") for OIDC. The specifics are the same as summarized in the auth code flow for OAuth2 documented in "Integration Model - OAuth2 Authentication/Authorization"; however, there are a few variable name differences:

  • tokenUrl and token_url becomes token_endpoint

  • authorizationUrl becomes authorization_endpoint

  • scopes object is enumerated by the scopes_supported array, without descriptions

Token requests for OIDC-compliant services must request the openid scope.

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2024 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout