AppsAdmin EssentialsIntegrations and modelsAuthentication

Understand OpenID Connect Discovery

Itential Platform supports OpenID Connect (OIDC) Discovery. OIDC Discovery facilitates connecting to an OpenID Provider by retrieving necessary configuration details, such as the authorization endpoint, token endpoint, and supported scopes.

For more information, see OpenID Specifications.

OIDC schema

In the securitySchemes object of an example integration model, the OpenIDConnectScheme must set the authentication type ("openIdConnect") and a discovery endpoint that points to the OIDC identity provider’s publicly available URL (openIdConnectUrl).

In the example schema, the public endpoint issued by the Microsoft identity platform is shown.

1{
2  ...
3  "components": {
4    "securitySchemes": {
5      "OpenIDConnectScheme": {
6        "type": "openIdConnect",
7        "openIdConnectUrl": "https://login.microsoftonline.com/common/.well-known/openid-configuration"
8      }
9    }
10  }
11}

Itential Platform does not support identifying end-users via OIDC. Users must log in to Itential Platform with their credentials. OIDC support in Itential Platform integrations is designed for authenticating and authorizing users with a given OAuth provider for access tokens to the relevant service.

OIDC discovery

After creating an integration instance, Itential Platform reaches out to the discovery endpoint (openIdConnectUrl) and auto-populates the instance with those values. Any of these retrieved values may be overridden after instance creation; however, Itential recommends that you keep most of these values the same.

OIDC Discovery integration instance

If you see an item with Option 1 and Option 2, they correspond to a variable that was null at the discovery endpoint. Option 2 is null and Option 1 allows for any string input.

OIDC authorization code grant flow

Itential supports Authorization Code Grant Flow (auth code flow) for OIDC. The specifics are the same as summarized in the auth code flow for OAuth2 documented in “Integration Model - OAuth2 Authentication/Authorization”; however, there are a few variable name differences:

  • tokenUrl and token_url becomes token_endpoint
  • authorizationUrl becomes authorization_endpoint
  • scopes object is enumerated by the scopes_supported array, without descriptions

Token requests for OIDC-compliant services must request the openid scope.