OpenID Connect (OIDC) authorization

Authorizes a user request via OpenID Connect (OIDC).

There is no need that the actual user exists in any way on the host machine of Bifröst. Even if the local environment is used together with createIfAbsent and updateIfDifferent set to true, it will create/update the users. There is no need for tools like Puppet or Ansible.

This provides an easy way for SSO in all types of organizations, small or big. See use cases for more details.

Currently the following flow of OpenID Connect is supported:

Device Auth

Device Auth

Properties

`type`

Authorization Type = "oidc"

Has to be set to oidcDeviceAuth to enable the OIDC DeviceAuth authorization.

`issuer`

URL Core

The issuer is the URL identifier for the service which is issued by your identity provider.

Examples

https://login.microsoftonline.com/my-great-tenant-uuid/v2.0
https://accounts.google.com
https://login.salesforce.com

`clientId`

string Core

Client ID issued by your identity provider.

`clientSecret`

string Core

Secret for the corresponding Client ID.

`scopes`

[]string Core = ["openid", "profile", "email"]

Scopes to request the token from the identity provider for.

Examples

scopes:
    - openid
    - email
    - profile

`retrieveIdToken`

bool = true

Will retrieve the ID Token and makes it available in the corresponding context via idToken.

`retrieveUserInfo`

bool = false

Will retrieve the UserInfo and makes it available in the corresponding context via userInfo.

Context

This authorization will produce a context of type Authorization OIDC.

Examples

type: oidcDeviceAuth
issuer: https://login.microsoftonline.com/my-great-tenant-uuid/v2.0
clientId: my-great-client-uuid
clientSecret: very-secret-secret
scopes:
  - openid
  - email
  - profile

Compatibility

`linux`	`windows`
/	/