Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

OAuth 2.0 and OpenID Connect

OpenID provider configuration

search

OpenID provider configuration

The steps below summarizes how to configure the OneWelcome Identity Platform as and OpenID provider.

Configure JWT Keys for signing

The OneWelcome Identity Platform allows you to configure the algorithm and keys that it uses for calculating the digital signature of the ID token.

JWT Key configuration

Field Required Example value Details
Discovery URL Read-only https://tokenserver.example.com/oauth/.well-known/openid-configuration URL to the Discovery endpoint
Signing algorithm Yes RS256: RSASSA-PKCS1-v1_5 using SHA-256 (default) The algorithm used for generating the digital signature in JWT
Next key Read-only db5aac2e-504b-4845-8900-4d64d2afd3ad Identifier of the Next key
Current key Read-only 59b04937-7a12-4ff7-9d27-67b55637da9f Identifier of the Current key. This is the identifier referenced in the KID field of the currently issued ID tokens.
Previous key Read-only a1328084-d75d-4ea7-a734-fe5257a5faff Identifier of the Previous key. This field is empty when the keys are initially created.

The Next key and Current key are generated during the initial application startup.

For security reasons, periodically change the keys that are used for the digital signature. To ensure that the relying party is able to validate the signature of the ID tokens that are issued prior to the key change, the OneWelcome Identity Platform provides the following key rotation mechanism:

  • When you click the Rotate Keys button, the Current key becomes the Previous key, the Next key becomes the Current key, and a new Next key is generated.

  • Modifying the algorithm requires changing the underlying keys. As part of the change, the keys are rotated in a slightly different way. The Current key becomes the Previous key, and two new keys are generated: the Current key and the Next key.

Signing algorithm

For algorithms that use the RSA key, it is possible to configure the strength of the key using following property:

TOKEN_SERVER_ADMIN_RSA_ENCRYPTION_STRENGTH=2048

The minimum RSA strength is 2048 bits.

Web client

A web client becomes an OpenID relying party with the following web client configuration:

  • Add the grant type Authorization Code.

  • Add the scope openid to either the Default Scopes or Additional Scopes.

Then configure OpenID specific settings as described in OpenID Connect Relying Party configuration.

Mobile applications

All mobile applications are OpenID relying parties. When creating a mobile application, the scope openid is automatically added to the Default scopes.

OpenID Connect relying party configuration

In addition to the configuration of web clients and mobile applications, there's a configuration for the OpenID Connect relying party. This configuration contains the following items:

OpenID Connect configuration page

Field Required Example value Details
ID token validity yes 3600 Number of seconds an ID token is valid. It is used to calculate the exp expiration date claim in the ID token.
Additional Audiences no https://resource.example.com A list of case-sensitive strings that identify the intended audience of the issued ID token. It is used to populate the aud claim in the ID token in combination with the Client ID, which is always included.
Delete access/refresh tokens on logout no When enabled, access tokens and refresh tokens are deleted when the End-session endpoint is called. Use this when using the client authentication method PKCE. If a client enables SAML SLO and does not use refresh tokens, the tokens are removed regardless of this setting.
Post Logout Redirect URL no https://redirect.example.com This is the primary or default post-logout URL. The user is redirected to this URL if no other URL is specified in the end session request.
Additional Post Logout Redirect URLs no https://redirect.example.com, https://postlogout.example.com A list of additional post-logout redirect URLs. This list contains the redirect URLs that can be specified as part of the end session request.
Front-Channel Logout URL no https://frontchannellogout.example.com A URL that is reachable on the relying party that invalidates the session. This is triggered after a successful logout using the end session page.
ID Token Encryption enabled no Enabling or disabling ID token encryption
Encryption Method depends A256GCM The encryption method that is used to encrypt the ID Token. Required when ID token Encryption Enabled is checked.
JWKS URI depends https://example.com/jwks.json JSON Web Key Set (JWKS) endpoint that contains the JWKS that are used to encrypt the ID token. Required when ID Token Encryption enabled is checked.

For additional information about redirect and front channel URLs, see end session guide

Identity provider

A relying party can request additional claims as specified in OpenID Connect scopes.

To enable the OneWelcome Identity Platform capability to retrieve this information, you must enable User Info as described in Configure User Info Endpoint for the identity provider associated with the relying party.

On this page