|
General
|
Redirect URIs
|
Redirect URIs are the valid endpoints to which the identity provider (IdP) will send the
authorization code or tokens after the authentication process is completed.
|
|
Login URL
|
The Login URL is the endpoint where users are directed to authenticate themselves. This
URL
typically points to the login page of the identity provider.
|
|
Post Logout URL
|
The Post Logout URL is the endpoint to which users are redirected after they have logged
out
of the application. You can add either a + or a – value.
- + value means that the application should dynamically determine the appropriate
URL
from a list of valid redirect URIs.
- – value does not allow any post-logout redirect URIs.
|
|
Web origins
|
Web Origins are the allowed origins from which the web application can make requests to
the
IdP. You may set a + or – value.
|
|
Application Capability Configuration
|
Client Authentication
|
This defines if the OIDC client is confidential or public access type.
- Enabled: The client type is set to confidential access. This
setting
is suitable for server-side applications that handle browser logins and require
client secrets for Access Token Requests.
- Disabled: The client type is set to public access. This
setting is
necessary for client-side applications that handle browser logins. Since client
secrets cannot be securely stored on the client side, it is important to
restrict
access by configuring the appropriate redirect URIs.
|
|
Authentication Flows
|
OIDC Protocol offers various methods, or flows, that clients or applications can use to
authenticate users and receive identity and access tokens. The method depends on the
type of application or client requesting access. The Unifyia platform supports the
following flows:
- Direct access grants (Resource Owner Password Credentials)
- Service account roles (Client Credentials)
- Standard flow (Authorization Code)
- Implicit Flow
|
|
Direct access grants (Resource Owner Password Credentials)
|
Direct Access Grants, also known as the Resource Owner Password Credentials (ROPC) flow,
is a feature in the OpenID Connect (OIDC) protocol that allows users to authenticate by
directly providing their username and password to the client application, which then
exchanges these credentials for an access token from the identity provider (IdP). It is
used by REST clients to obtain tokens on behalf of users by sending the credentials of
the user, client ID, and client secret (if the client type is confidential access) in an
HTTP POST request to fetch identity,access, and refresh tokens in an HTTP response.
|
|
Service account roles (Client Credentials)
|
Enabled only when the Client authentication option is checked under the Application
Capability Configuration section. Allows you to authenticate a client to the
identity provider and retrieve an access token dedicated to this client. In terms of
OAuth2 specification, this enables support of a Client Credentials Grant for this
client.
- Enabled: A client can authenticate to the Unifyia platform and
retrieve an access token dedicated to this client.
- Disabled: A client cannot get an access token dedicated to the
client.
|
|
Standard flow (Authorization Code)
|
This is the most common OIDC authentication method, especially for server-side
applications. It involves exchanging an authorization code for an access token and ID
token. In terms of OpenID Connect or OAuth2 specifications, this enables support of
Authorization Code Flow for this client.
|
|
Implicit flow
|
This enables support for OpenID Connect redirect-based authentication without an
authorization code. The Implicit Flow is designed for client-side applications (e.g.,
single-page applications) where the application cannot securely store a client secret.
It does not involve exchanging an authorization code for an access token and an ID
token. The ID token and/or access token are returned directly to the client as part of
the redirect URI. In terms of OpenID Connect or OAuth2 specifications, this enables
support of Implicit Flow for this client.
|