Skip to content

OpenID Connect (OIDC) Backend

The OpenID Connect backend acts as an OpenID Connect Relying Party (RP), making authentication requests to an OpenID Connect Provider (OP).

Configurations

An example configuration for OIDC Backend can be found here. Just like any other backend configuration, the configurations for OIDC Backend needs to be inside <customer-project>/didmos2-auth/config/backends. Moreover, just like any other configurations, it is reccommended that the credentials in the configuration are specified using !ENV ENVIRONMENT_VARIABLE_NAME. And the value of this ENVIRONMENT_VARIABLE_NAME can be defined in the .env of the compose project.

Let's have a look at the following example setup for the OIDC Backend configuration:

module: satosa.backends.openid_connect.OpenIDConnectBackend
name: oidc
config:
  provider_metadata:
    issuer: !ENV SATOSA_OIDC_BACKEND_ISSUER
  client:
    auth_req_params:
      response_type: "code"
      scope: ["openid", "profile", "email"]
    client_metadata:
      client_id: !ENV SATOSA_OIDC_BACKEND_CLIENTID
      client_secret: !ENV SATOSA_OIDC_BACKEND_CLIENTSECRET
      redirect_uris: [<base_url>/<name>]
    userinfo_request_method: "GET"
  entity_info:
    organization:
      display_name:
      - "[\"DEMOSHOP\", \"en\"]"
      name:
      - "[\"DEMOSHOP\", \"en\"]"
      url:
      - "[\"https://demoshop.url\", \"en\"]"
    ui_info:
      description:
      - "[\"DEMOSHOP\", \"en\"]"
      display_name:
      - "[\"DEMOSHOP\", \"en\"]"

The SATOSA_OIDC_BACKEND_CLIENTID and similarly all the other environment variables can then be defined in the .env file.

Activating the OIDC Backend

We have defined all the configuration for our demoshop OP, but we have not activated this OIDC backend because by default, oidc backend is disabled. Just like any other backend, OIDC Backend can also be activated by specifying it under the BACKEND_MODULES in the customer-project/didmos2-auth/config/proxy-conf.yaml

Duplicating OIDC backend with different configuration for additional OPs

Please also note that multiple OpenID Connect Provider (OP) can be configured with didmos2-auth. For each new OP, the following development changes will be required:

  1. New oidc_backend.yaml in <customer-project>/didmos2-auth/config/backends with a different name and new set of environment variables related to this new OIDC Backend for a different OP.
  2. New entry in customer-project/didmos2-auth/config/proxy-conf.yaml for this new oidc_backend DOCKERCONFIG file.
  3. The new environment variables in the new oidc backend need to be defined via one of the compose files or via one of the env files as we saw in the previous section.