OpenID Connect configuration example

OpenID Connect is an open standard and decentralized authentication protocol that allows authentication by participating sites, known as relying parties (RP). A third-party service lets users log into multiple unrelated websites using a single identity and password. OpenID Connect is an identity layer on top of the OAuth 2.0 protocol, allowing web-based, mobile, and JavaScript clients to request information about authenticated end-users.

The following example is a configuration of the OpenID Connect authentication service provider.

RequestResponse

"open_id_connect": [
    {
        "authentication_mode": "Passive",
        "client_id": "<CLIENT_ID>",
        "client_secret": "<CLIENT_SECRET>",
        "authority": "<AUTHORITY>",
        "get_claims_from_user_info_endpoint": false,
        "metadata_address": "<METADATA_ADDRESS>",
        "max_age": "<MAX_AGE>",
        "signed_out_redirect_uri": "<URL>",
        "authentication_method": "<AUTHENTICATION_METHOD>",
        "response_mode": "<RESPONSE_MODE>",
        "response_type": "<RESPONSE_TYPE>",
        "prompt": "<PROMPT>",
        "email_claim_type": "<CLAIM_TYPE_OVERRIDE>",
        "external_user_creation_url": "https://www.registerme.com",
        "is_enabled": true,
        "messages": {
            "signIn": "T_translationKey",
            "signInDescription": "T_translationKey",
            "signInTitle": "T_translationKey"
        },
        "provider_name": "OpenIDConnect,",
        "username_claim_type": "<CLAIM_TYPE_OVERRIDE>",
        "clear_default_scope": false,
        "scope": [
            "<CUSTOM_SCOPE>"
        ]
    }
]

Note

The OpenID Connect specification includes many properties. You can find more information about these properties and their implementation in the official OpenID Connect, OAuth 2, or .NET OpenID Connect specifications.

Script parameters

Parameter	Explanation
`authentication_mode`	The authentication mode can be set to `Active` or `Passive`, but only one provider can be active at a time. In `Active` mode, users are automatically redirected to the provider’s login page if they are not authenticated. In `Passive` mode, users must manually click the provider's button on the login page.
`client_id`	A unique identifier for the client application, used to authenticate your Content Hub application with the Identity Provider.
`client_secret`	A secret known only to the application and the authorization server, used to authenticate the Content Hub application.
`authority`	The URL of the OpenID Connect provider, used to discover the provider's configuration and endpoints.
`get_claims_from_user_info_endpoint`	Whether to retrieve claims from the `UserInfo` endpoint. If set to false, an `id_token` with claims must be provided for each authentication.
`metadata_address`	The URL for the OpenID Connect provider's metadata, which includes endpoint details and supported features. Avoid hosting a copy of this file, as provider certificate changes can break authentication.
`signed_out_redirect_uri`	The URL where the user is redirected after signing out.
`redirect_uri`	The URL where the authorization server redirects the user after authentication. This must be registered with the authorization server.
`authentication_method`	The method used for authentication. Possible values include `redirect_get` and `form_post`.
`response_mode`	How the authentication response is returned. Possible values include `query`, `form_post`, and `fragment`.
`response_type`	The type of response expected from the authorization server. Possible values include `code`, `code id_token`, `code id_token token`, `code token`, `id_token`, `id_token token`, `none`, and `token`.
`prompt`	Whether the user should be prompted for re-authentication. Possible values include `none`, `login`, `consent`, and `select_account`.
`email_claim_type`	The claim type used for the user's email address.
`external_user_creation_url`	The URL used for creating external users.
`is_enabled`	Whether OpenID Connect is enabled. This allows temporarily disabling an identity provider without removing its configuration.
`messages`	Custom messages for the sign-in process. Possible values include `signIn`, `signInTitle`, and `signInDescription`.
`provider_name`	The name of the OpenID Connect provider, also used as the redirect URI in the IdP, formatted as `{HOST}/signin-{PROVIDER_NAME}`.
`username_claim_type`	The claim type that defines the user's username.
`clear_default_scope`	Whether to clear the default scope.
`scope`	The scopes requested during authentication. Possible values include `openid`, `profile`, and `email`. The `openid` scope is always required for an OpenID Connect authentication.

Do you have some feedback for us?

If you have suggestions for improving this article,