Skip to content

OpenID Connect (OIDC) authorization

Authorizes a user request via OpenID Connect (OIDC).

There is no need that the actual user exists in any way on the host machine of Bifröst. Even if the local environment is used together with createIfAbsent and updateIfDifferent set to true, it will create/update the users. There is no need for tools like Puppet or Ansible.

This provides an easy way for SSO in all types of organizations, small or big. See use cases for more details.

Currently, the following flow of OpenID Connect is supported:

Device Auth

Properties

type

Authorization Type = "oidc"

Has to be set to oidcDeviceAuth to enable the OIDC DeviceAuth authorization.

issuer

The issuer is the URL identifier for the service which is issued by your identity provider.

Examples
  • https://login.microsoftonline.com/my-great-tenant-uuid/v2.0
  • https://accounts.google.com
  • https://login.salesforce.com

clientId

string Core

Client ID issued by your identity provider.

clientSecret

string Core

Secret for the corresponding Client ID.

scopes

[]string Core = ["openid", "profile", "email"]

Scopes to request the token from the identity provider for.

Examples
1
2
3
4
scopes:
    - openid
    - email
    - profile

retrieveIdToken

bool = true

Will retrieve the ID Token and makes it available in the corresponding context via idToken.

retrieveUserInfo

bool = false

Will retrieve the UserInfo and makes it available in the corresponding context via userInfo.

Context

This authorization will produce a context of type Authorization OIDC.

Examples

1
2
3
4
5
6
7
8
type: oidcDeviceAuth
issuer: https://login.microsoftonline.com/my-great-tenant-uuid/v2.0
clientId: my-great-client-uuid
clientSecret: very-secret-secret
scopes:
  - openid
  - email
  - profile

Compatibility

linux windows
/ /