Search
K

OIDC provider

The OIDC Provider may be defined to use Maverics as an OIDC IDP.

Config Options

Discovery

discovery defines the configuration for OIDC discovery.

Issuer

issuer is the domain to which tokens will be attributed. An issuer is a case-sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
The issuer for the OIDC Provider (which is typically obtained during Discovery) will exactly match the value of the iss (issuer) Claim in the ID token.

Endpoints

endpoints defines where the OIDC endpoints are served.
Well-Known
wellKnown is the endpoint where the OIDC Provider will respond metadata requests. This endpoint can be used to discover the endpoints exposed by the server, the scopes available from the server and the algorithms to sign and/or encrypt the access and ID tokens.
JWKS
jwks is the endpoint where the OIDC Provider returns information about the JSON Web Key (JWK) Set it uses to sign JWTs.
This corresponds to RFC 7517: JSON Web Key (JWK).
Authorization
auth is the endpoint where the OIDC Provider will respond to OAuth 2.0 Authorization Request to authenticate the end user.
Token
token is the endpoint where the OIDC Provider will respond to the Relying Party with an access token and ID token.
Userinfo
userinfo is the endpoint where the OIDC Provider will return claims about the authenticated end user. If available, it will return claims associated with any of the following scopes: profile, openid, phone, email and address.
If claimsMapping has been defined for the corresponding client, those mappings will be applied to the userinfo response.
How scopes relate to claims is defined in OpenID Connect Core 1.0, section 5.4.
Introspect
introspect is the endpoint where the OIDC Provider will return the claims for the access token which is being introspected.
Revoke
revoke is the endpoint where the OIDC Provider will respond to OAuth 2.0 token revocation requests, revoking usage of the specified refresh or access token.
This corresponds to RFC 7009, section 2.

JWKS

jwks is a list of keys used to sign tokens. The key listed first will be used for signing. All public keys will be available for consumption at the JWKS endpoint.

Algorithm

algorithm represents the encryption algorithm that was used to generate the key pair. Currently, only RSA256 is supported.

Private Key

privateKey is the PEM encoded private key. This field can optionally be loaded from a secret provider.

Grant Types

grant_types_supported represents the OIDC code flows. Maverics supports Authorization Code Flow(authorization_code) and Client Credentials Code Flow (client_credentials).

BuildUserInfoClaims Service Extension

buildUserInfoClaimsSE is an optional Service Extension that can customize the claims returned by the userinfo endpoint. The session argument provided in the Service Extension points to session attributes associated with the requested user.
As the author of a Service Extension you are responsible for its behavior, and need ensure that the response adheres to the specification.

Examples

Basic OIDC Provider Config Example

oidcProvider:
discovery:
issuer: https://maverics.sonarsystems.com
endpoints:
wellKnown: https://maverics.sonarsystems.com/.well-known/openid-config
jwks: https://maverics.sonarsystems.com/.well-known/jwks.json
auth: https://maverics.sonarsystems.com/oauth2/auth
token: https://maverics.sonarsystems.com/oauth2/token
userinfo: https://maverics.sonarsystems.com/userinfo
introspect: https://maverics.sonarsystems.com/introspect
revoke: https://maverics.sonarsystems.com/revoke
jwks:
- algorithm: RSA256
publicKey: <authorizationServerPublicKey>
privateKey: <authorizationServerPrivateKey>

Basic OIDC Provider Config Example With Service Extension

oidcProvider:
discovery:
issuer: https://maverics.sonarsystems.com
endpoints:
wellKnown: https://maverics.sonarsystems.com/.well-known/openid-config
jwks: https://maverics.sonarsystems.com/.well-known/jwks.json
auth: https://maverics.sonarsystems.com/oauth2/auth
token: https://maverics.sonarsystems.com/oauth2/token
userinfo: https://maverics.sonarsystems.com/userinfo
introspect: https://maverics.sonarsystems.com/introspect
revoke: https://maverics.sonarsystems.com/revoke
jwks:
- algorithm: RSA256
publicKey: <authorizationServerPublicKey>
privateKey: <authorizationServerPrivateKey>
buildUserInfoClaimsSE:
funcName: BuildUserInfoClaims
file: /etc/maverics/extensions/auth.go
/etc/maverics/extensions/auth.go
package main
import (
"net/http"
"github.com/strata-io/service-extension/orchestrator"
)
func BuildUserInfoClaims(api orchestrator.Orchestrator, _ *http.Request) (map[string]any, error) {
session, err := api.Session()
if err != nil {
logger.Error("se", "unable to retrieve session", "error", err.Error())
return nil, err
}
groups, err := session.GetString("okta.groups")
return map[string]any{
"groups": groups,
}, err
}
Last modified 2mo ago