Skip to main content
The OIDC Provider mode configures the Maverics Orchestrator as an OpenID Connect authorization server. It sits between your applications and upstream identity providers — handling authentication flows, enriching claims from multiple sources, and providing seamless IdP failover without application changes.
Console terminology: In the Maverics Console, the combination of applications, policies, headers, and connector bindings is managed through User Flows. In YAML, these elements are configured directly within each app’s configuration block under apps[].policies[].
When to use this mode
  • OIDC Provider — Choose this mode when your applications support OpenID Connect. Best for modern apps that can consume OIDC tokens natively.
  • SAML Provider — Choose this mode for applications that only support SAML 2.0 assertions.
  • HTTP Proxy — Choose this mode when you cannot modify the application’s authentication code.
  • LDAP Provider — Choose this mode for applications that require an LDAP directory for authentication.
  • AI Identity Gateway — Choose this mode for securing AI agent-to-tool communication via MCP.

Use Cases

  • SSO consolidation — Unify multiple identity providers behind a single OIDC-compliant interface, giving users one login experience across all applications.
  • IdP migration with zero downtime — Route authentication traffic between old and new identity providers during migration without disrupting end users.
  • Legacy app modernization via OIDC — Add OpenID Connect support to applications that previously relied on proprietary or outdated authentication mechanisms.
  • Claim enrichment from multiple sources — Aggregate user attributes from directories, databases, and APIs into a single enriched token for downstream applications.

How It Works

The OIDC Provider authentication flow follows these steps:
  1. Application redirects — A user accesses an application registered as an OIDC relying party. The application redirects the user to the Orchestrator’s authorization endpoint.
  2. Upstream authentication — The Orchestrator routes the user to the configured upstream identity provider (Azure AD, Okta, etc.) for authentication. If multiple IdPs are configured, failover rules determine which to use.
  3. Attribute enrichment — After authentication, the Orchestrator loads additional attributes from configured attribute providers (directories, databases, APIs) and enriches the user’s profile.
  4. Token issuance — The Orchestrator generates OIDC tokens (ID token, access token, optional refresh token) with claims mapped from the authenticated identity and enriched attributes.
  5. Application receives tokens — The application receives the tokens at its redirect URI and uses them for session establishment and authorization decisions.
  6. Ongoing token operations — The Orchestrator serves the JWKS endpoint for token verification, handles token introspection and revocation, and manages token refresh flows.

Key Concepts

Provider vs Apps

The oidcProvider block configures server-wide settings (issuer, endpoints, signing keys) shared across all OIDC apps. Each apps[] entry with type: oidc registers a specific relying party (client application) with its own credentials, scopes, and claims mapping. One Orchestrator can serve many OIDC apps.

Claims Mapping

Claims mapping translates attributes from upstream identity providers into OIDC token claims. The format connector.attribute (e.g., upstream-idp.email) references a specific claim from a named connector. This enables enriching tokens with data from multiple identity sources.

IdP Failover

When multiple identity providers are listed under authentication.idps, the Orchestrator tries them in order. If the primary IdP is unavailable, authentication falls back to the next provider seamlessly — no application changes required.

Token Types

The Orchestrator issues two token formats: JWT tokens (self-contained, verified via JWKS) and opaque tokens (reference tokens, verified via introspection). Choice depends on whether resource servers can validate locally or must call back.

Service Extensions

Go-based extension hooks allow custom logic at key points in the flow — custom authentication checks, custom claim building, and custom attribute loading. These provide escape hatches when standard configuration is insufficient.

Interface

In the Maverics Console, OIDC Provider settings are configured in the Deployment Settings dialog under the OIDC Provider section.Issuer and Endpoints
FieldRequiredDescription
IssuerYesCase-sensitive HTTPS URL that identifies this OIDC Provider. Used as the iss claim in issued tokens.
GenerateButton that auto-generates all endpoint URLs from the Issuer domain.
Well-KnownYesOIDC discovery endpoint (auto-generated from Issuer).
AuthorizationYesAuthorization endpoint for login flows (auto-generated).
TokenYesToken endpoint for code exchange and refresh (auto-generated).
IntrospectYesToken introspection endpoint (auto-generated).
RevocationYesToken revocation endpoint (auto-generated).
End SessionYesEnd session / logout endpoint (auto-generated).
User Info Claims
FieldRequiredDescription
User InfoYesUserInfo endpoint URL (auto-generated from Issuer).
Build User Info Claims SENoDropdown to select a Service Extension for customizing UserInfo response claims.
JSON Web Keys
FieldRequiredDescription
JWKSYesJWKS endpoint URL for publishing public keys (auto-generated from Issuer).
Edit JSON Web KeysButton to edit private/public key pairs used for token signing.
Additional Settings
FieldRequiredDescription
Redis CacheNoDropdown to select a configured Redis cache. Defaults to in-memory if not set.
Session CorrelationNoToggle to correlate OIDC sessions with HTTP sessions.
Supported Grant TypesThe Console shows toggles for the following grant types: authorization_code, client_credentials, refresh_token, password, implicit_id, implicit_token.
The Console UI provides a subset of the full YAML configuration. Options like buildUserInfoClaimsSE parameters and advanced JWKS algorithm settings are only available in the Configuration tab. The Console auto-generates endpoints from the Issuer URL; in YAML, each endpoint is set independently.

Configuration Reference

oidcProvider

The oidcProvider top-level key configures the authorization server behavior shared across all OIDC apps. It defines the issuer identity, OIDC discovery endpoints, signing keys (JWKS), and optional session correlation. Every OIDC app served by this Orchestrator instance uses these provider-level settings.
KeyTypeRequiredDescription
oidcProvider.discovery.issuerStringYesIssuer URL used in OIDC discovery and the iss claim in tokens
oidcProvider.discovery.endpoints.wellKnownStringNoOIDC discovery endpoint path (typically /.well-known/openid-configuration)
oidcProvider.discovery.endpoints.jwksStringNoJWKS endpoint path for publishing public keys
oidcProvider.discovery.endpoints.authStringNoAuthorization endpoint path
oidcProvider.discovery.endpoints.tokenStringNoToken endpoint path
oidcProvider.discovery.endpoints.userinfoStringNoUserInfo endpoint path
oidcProvider.discovery.endpoints.introspectStringNoToken introspection endpoint path (RFC 7662)
oidcProvider.discovery.endpoints.revokeStringNoToken revocation endpoint path (RFC 7009)
oidcProvider.discovery.endpoints.endSessionStringNoEnd session (logout) endpoint path
oidcProvider.jwks[].algorithmStringYesSigning algorithm (RSA256 is the only supported value)
oidcProvider.jwks[].publicKeyStringNo*PEM-encoded public key. *Required for production. If omitted, the Orchestrator auto-generates an ephemeral key pair (not suitable for production).
oidcProvider.jwks[].privateKeyStringNo*PEM-encoded private key. *Required for production. If omitted, the Orchestrator auto-generates an ephemeral key pair (not suitable for production).
oidcProvider.cacheStringNoName of a cache to use (references a caches entry)
oidcProvider.correlateSessionBooleanNoCorrelate OIDC sessions with HTTP sessions
oidcProvider.buildUserInfoClaimsSEObjectNoService extension for customizing the UserInfo response claims
If the jwks array is omitted, the Orchestrator auto-generates an RSA key pair at startup. This key pair is ephemeral — a new key pair is generated on every restart, invalidating all previously issued tokens. Auto-generation is intended only for local development and testing. Production deployments should always provide explicit keys using secret provider references (e.g., <oidc.signingPublicKey>, <oidc.signingPrivateKey>).

OIDC App Type (apps[].type: oidc)

Each OIDC app entry defines a relying party (client application) registered with the OIDC Provider. Apps are configured under the apps array with type: oidc. For shared app fields (name, type) and authorization rule syntax, see the Apps and Routes reference. Core Fields
KeyTypeRequiredDescription
clientIDStringYesUnique client identifier for the OIDC relying party
publicBooleanNoWhen true, marks the client as a public client (no client secret required)
credentials.secretsArrayNoClient secrets used for client authentication
credentials.jwtPublicKeys[].nameStringNoName identifier for a JWT-based client authentication key
credentials.jwtPublicKeys[].audStringNoExpected audience value for the client JWT assertion
credentials.jwtPublicKeys[].publicKeyStringNoPEM-encoded public key for verifying client JWT assertions (RFC 7523)
DPoP (Demonstrating Proof-of-Possession)
KeyTypeRequiredDescription
dpop.enabledBooleanNoEnable DPoP sender-bound access tokens (RFC 9449)
dpop.nonce.disabledBooleanNoWhen true, disables the DPoP nonce requirement
Grant Types and URLs
KeyTypeRequiredDescription
grantTypesArrayNoAllowed OAuth 2.0 grant types. Defaults to authorization_code, client_credentials, refresh_token. Also supports urn:ietf:params:oauth:grant-type:token-exchange (RFC 8693) and password (ROPC).
redirectURLsArrayNoAllowed redirect URIs for authorization code flow
logoutRedirectURLsArrayNoAllowed redirect URIs after logout
allowDefaultRedirectURIBooleanNoAllow a default redirect URI when none is supplied in the request
Claims and Scopes
KeyTypeRequiredDescription
claimsMappingObjectNoMap connector attributes to OIDC claims. Keys are claim names, values are connector.attribute references (e.g., email: upstream-idp.email).
customScopes.scopes[].nameStringNoDefine custom OAuth scopes beyond the standard set
allowedAudiencesArrayNoRestrict which audience values are permitted in token requests
Authentication
KeyTypeRequiredDescription
authentication.idpsArrayNoList of identity provider connector names for user authentication
authentication.isAuthenticatedSEObjectNoService extension for custom authentication checks
authentication.authenticateSEObjectNoService extension for custom authentication flows
authentication.backchannel.authenticateSEObjectNoService extension for backchannel authentication (used with the password grant type)
isAuthenticatedSE and authenticateSE must be defined together. When using SE-based authentication, you cannot also specify idps.
Authorization
KeyTypeRequiredDescription
authorization.allowAllBooleanNoAllow all authenticated users
authorization.rulesArrayNoAuthorization rules with and/or conditions. See Apps and Routes for rule syntax.
authorization.rulesAggregationMethodStringNoHow to combine top-level rules: and (all must pass) or or (any may pass)
authorization.tokenMinting.accessToken.policiesArrayNoOPA policies for access token minting. Each entry has name, file (or rego).
Access Tokens
KeyTypeRequiredDescription
accessToken.typeStringNoToken format: jwt (signed JSON Web Token) or opaque (random string reference token)
accessToken.lengthIntegerNoLength of opaque access tokens (22—256). Only applies when accessToken.type is opaque.
accessToken.lifetimeSecondsIntegerNoAccess token lifetime in seconds
Refresh Tokens
KeyTypeRequiredDescription
refreshToken.allowOfflineAccessBooleanNoEnable refresh tokens for this client
refreshToken.lengthIntegerNoRefresh token length (22—256)
refreshToken.lifetimeSecondsIntegerNoRefresh token lifetime in seconds
Attribute Providers and Service Extensions
KeyTypeRequiredDescription
attrProviders[].connectorStringNoConnector name for loading additional attributes after authentication
attrProviders[].usernameMappingStringNoTemplate mapping for the username lookup (e.g., {{ azure.sub }})
loadAttrsSEObjectNoService extension for custom attribute loading
buildIDTokenClaimsSEObjectNoService extension for customizing ID token claims
buildAccessTokenClaimsSEObjectNoService extension for customizing access token claims
CORS
KeyTypeRequiredDescription
cors.allowedOriginsArrayNoAllowed CORS origins for browser-based OIDC flows
cors.allowedCredentialsBooleanNoAllow credentials in CORS requests
Security
KeyTypeRequiredDescription
insecureSkipPKCEBooleanNoDisable PKCE requirement. Not recommended — PKCE protects against authorization code interception attacks.

DPoP (Demonstrating Proof-of-Possession)

DPoP (RFC 9449) creates sender-bound access tokens — the token is cryptographically tied to a specific client’s key pair, preventing token theft and replay attacks. When a client presents a DPoP-bound access token, it must also present a proof that it possesses the private key. If an attacker intercepts the access token, they cannot use it without the client’s private key. DPoP is configured per-app on OIDC Provider applications. When enabled, the Orchestrator validates DPoP proof headers on token requests and issues sender-bound access tokens.
DPoP is configured per-app via YAML only. The Console UI manages primary OIDC Provider settings (issuer, endpoints, signing keys) in the Deployment Settings dialog, but per-app token binding settings like DPoP are not yet available in the Console. See the Configuration tab for the full reference.
KeyTypeDefaultDescription
dpop.enabledBooleanfalseEnable DPoP sender-bound access tokens per RFC 9449. When enabled, the Orchestrator validates DPoP proof headers and binds issued tokens to the client’s public key.
dpop.nonce.disabledBooleanfalseWhen false (the default), the Orchestrator requires a server-issued nonce in DPoP proofs. This prevents pre-generated proof replay. Set to true to disable the nonce requirement.
DPoP provides defense against token exfiltration attacks. Even if an access token is stolen from a log, cache, or network trace, it cannot be used without the corresponding private key. For maximum security, combine DPoP with short token lifetimes and TLS for transport-level protection.

JWT and Opaque Token Options

The accessToken.type field controls whether the OIDC Provider issues JWT tokens or opaque (reference) tokens:
  • JWT tokens (accessToken.type: jwt) — Self-contained tokens that include claims directly. Resource servers can validate them locally using the JWKS endpoint without calling back to the provider. This is the most common choice for APIs and modern applications.
  • Opaque tokens (accessToken.type: opaque) — Random string tokens that carry no claims. Resource servers must call the introspection endpoint to validate them. Use opaque tokens when you need to revoke tokens immediately or avoid exposing claims to intermediate services.
Per-app token type settings (JWT vs. opaque) are configured via YAML only. The Console UI manages provider-level OIDC settings (issuer, endpoints, signing keys) in the Deployment Settings dialog, but per-app access token format and lifetime are not yet available in the Console. See the Configuration tab for the full reference.

Key Rotation

The oidcProvider.jwks field is an array, supporting multiple key pairs for seamless key rotation. The first entry in the array is the active signing key used to sign new tokens. Additional entries are published in the JWKS endpoint so that resource servers can still verify tokens signed with previous keys. To rotate keys:
  1. Generate a new key pair.
  2. Insert the new key pair as the first entry in the jwks array.
  3. Move the old key pair to a later position in the array.
  4. Deploy the updated configuration. New tokens are signed with the new key; existing tokens remain verifiable.
  5. After all tokens signed with the old key have expired, remove the old entry.
Key rotation is managed via YAML only. The Console UI allows editing the current JSON Web Keys through the Edit JSON Web Keys button in Deployment Settings, but multi-key rotation (maintaining old keys alongside new ones for seamless verification) requires direct YAML configuration. See the Configuration tab for the full reference.
The OIDC Provider mode works with all Identity Fabric connectors. The Orchestrator translates between any upstream IdP protocol and OIDC tokens for your applications. These are the most commonly used pairings:

Azure AD

Microsoft Entra ID for enterprise SSO

Okta

Okta SSO consolidation

Custom OIDC

Any OIDC-compliant provider

Continuity

IdP failover and migration
See the connector compatibility matrix for all supported pairings and the Identity Fabric overview for the full connector list. The OIDC Provider also pairs with:
  • Secret Providers — Store signing keys and client secrets securely
  • Caches — Distributed token and session storage with Redis

Troubleshooting

Symptoms: The application rejects tokens with “invalid signature”, “unable to verify token”, or similar errors.Causes:
  • The JWKS endpoint is unreachable from the application’s network.
  • A key mismatch occurred after key rotation — the application cached an old JWKS response.
  • The oidcProvider.discovery.issuer URL does not match the iss claim the application expects.
Resolution:
  1. Verify that oidcProvider.discovery.issuer matches exactly what the application has configured as the issuer (including scheme, host, and path).
  2. Confirm the JWKS endpoint is accessible from the application by requesting <issuer>/.well-known/openid-configuration and following the jwks_uri.
  3. If you recently rotated keys, ensure the active signing key is the first entry in the jwks array and that old keys are still present for verification of previously issued tokens.
Symptoms: Users see a “redirect_uri_mismatch” or “invalid redirect URI” error during the login flow.Causes:
  • The redirect URL sent by the application is not listed in the app’s redirectURLs array.
  • A subtle mismatch in scheme (http vs. https), port, or trailing slash between the configured and requested redirect URI.
Resolution:
  1. Add the exact redirect URI (including scheme, host, port, and path) to apps[].redirectURLs in the OIDC app configuration.
  2. Compare the redirect URI in the browser’s address bar during the error with the configured values — they must match character-for-character.
Symptoms: The application receives a valid token but expected claims (e.g., email, groups) are empty or absent.Causes:
  • The claimsMapping references a wrong connector name or attribute that does not exist on the upstream identity.
  • Attribute providers (attrProviders) are not configured, so enrichment attributes are not loaded.
  • The upstream IdP does not return the expected attributes in its token or UserInfo response.
Resolution:
  1. Verify that connector names in claimsMapping match the connectors[].name values exactly.
  2. If enrichment is needed, confirm attrProviders entries are configured with the correct connector names and usernameMapping.
  3. Test the upstream IdP directly to confirm it returns the expected attributes.
Symptoms: Authentication fails when the primary IdP is down instead of falling back to a secondary IdP.Causes:
  • Only one IdP is listed in authentication.idps — there is no fallback configured.
  • The secondary IdP connector is misconfigured (wrong URL, expired credentials, network issue).
Resolution:
  1. Verify that multiple IdP connector names are listed in authentication.idps in the desired failover order.
  2. Test each connector independently by temporarily making it the only entry to confirm it works on its own.
  3. Check Orchestrator logs for connector-specific error messages when failover is attempted.
Symptoms: All previously issued tokens become invalid after an Orchestrator restart. Logs may show a warning about ephemeral key generation.Causes:
  • The jwks array is omitted from oidcProvider, so the Orchestrator auto-generates an ephemeral RSA key pair on every startup. Each restart produces new keys, invalidating tokens signed with the previous keys.
Resolution:
  1. Provide explicit signing keys in the oidcProvider.jwks array using secret provider references (e.g., <oidc.signingPublicKey>, <oidc.signingPrivateKey>).
  2. Ensure both publicKey and privateKey are set for at least one entry in the jwks array.

SAML Provider

Configure the Orchestrator as a SAML 2.0 identity provider for federation

Identity Fabric

Connect upstream identity providers to the Orchestrator

Architecture and Concepts

Understand how modes fit into the Orchestrator architecture

HTTP Proxy

Protect applications without code modification using reverse proxy mode