OIDC settings for IdPs
# OIDC settings for IdPs
You can find the OIDC enterprise IdP settings in the Settings tab of the selected OIDC enterprise IdP.
# Mandatory settings
Listed below are the mandatory settings.
# Client ID
The client ID that is generated when registering Asgardeo as an OIDC application in the external identity provider.
# Client secret
The client secret that is generated when registering Asgardeo as an OIDC application in the external identity provider.
# Authorization endpoint URL
The OpenID Connect standard authorization endpoint URL of the external identity provider.
# Token endpoint URL
The OpenID Connect standard token endpoint URL of the external identity provider.
# Authorized redirect URL
This is where the user needs to be redirected after completing authentication at the external identity provider. The identity provider needs to send the authorization code to this URL upon successful authentication.
You should configure https://api.asgardeo.io/t/{your_organinzation_name}/commonauth
as the redirect URL/callback URL when you register Asgardeo as an OIDC application in the external IdP.
# Additional settings
Listed below are additional settings.
# User info endpoint URL
The OpenID Connect standard userinfo endpoint of the external identity provider. If this URL is not given, user attributes are taken from the ID token of the token response received from the external IdP.
# Logout URL
The OpenID Connect standard logout endpoint (opens new window) of the external identity provider. If this URL is given, Asgardeo sends logout requests to the external IdP when a user logs out from the connected application.
# Scopes
This is a list of case-sensitive OpenID Connect scopes that needs to be requested from the OIDC external IdP. See the OpenID Connect specification (opens new window) for more information about what scopes can be configured here.
# Additional query parameters
Asgardeo supports sending additional information to your OIDC external IdP in the form of query params in the login request.
- Fixed query params
- Dynamic query params
- Query param value sent in the application login request
- Query param value resolved in a conditional authentication script
You can check below examples when an application developer wants to send login_hint as a query param to external provider.
# Fixed query params
Here Asgardeo sends the fixed query param to the external identity provider in the login request.
- Sample Query Param:
login_hint=none
# Dynamic query params
Query param value sent in the application login request
Sample Query Param:
login_hint=${login_hint_value}
You can see a sample OIDC request from an application below.https://api.asgardeo.io/t/bifrost/oauth2/authorize?scope=openid&response_type=code&redirect_uri=<redirect_uri>&client_id=<client_id>&login_hint_value=[email protected]
1If the application does not send the query param in the login request, the particular parameterized query param will not be sent to the external OIDC identity provider.
Query param value resolved in a conditional authentication script
Sample Query Param:
login_hint=$authparam{login_hint_value}
Here login_hint_value needs to be resolved from the conditional auth script.Sample conditional auth script:
// Step 1: username and password authentication // Step 2: OIDC enterprise login var onLoginRequest = function(context) { executeStep(1, { onSuccess: function(context) { // Extracting authenticated user from the first step. var emailAddress = context.steps[1].subject.username; executeStep(2, { authenticatorParams: { common: { 'login_hint_value': emailAddress // This is where we resolve the dynamic query param. } }, authenticationOptions: [{ idp: 'OIDC enterprise IDP' // Name of the OIDC idp. }] }, {}); }, }); };
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Enable HTTP basic auth for client authentication
Specify whether to enable HTTP basic authentication for the token request. Otherwise, client credentials are sent in the request body instead of the HTTP header.