OIDC config parameters
- 31 Jan 2025
- 2 Minutes to read
- Print
OIDC config parameters
- Updated on 31 Jan 2025
- 2 Minutes to read
- Print
Article summary
Did you find this summary helpful?
Thank you for your feedback
This article provides detailed information on OIDC configuration parameters.
Applications
You can configure the GenericOidcLogin for multiple Grassfish applications, such as the IXM Platform or MobileApp.
Each application uses its own login URL: https://server/path/to/GenericOidcLogin/{APPLICATIONKEY}/login
Examples: https://server/GenericOidcLogin/CMS/login or https://server/GenericOidcLogin/MobileApp/login
Application:{APPLICATIONKEY}:LoginSuccessRedirectUrlRequired
Default:string.Empty
The user is redirected to this URL when the login was successful. The URL needs to contain the@@sh@@placeholder.
Example:https://<IXM-Platform-URL>/gv2/gf/GFWebHtml/cms/index.html#/external?lang=en&cid=@@customerId@@&autologin=bysession&sh=@@sh@@&userID=@@userId@@&customerName=@@customerName@@
Keyword placeholder | Replaced with |
|---|---|
@@sh@@ | Session hash |
@@userId@@ | User ID |
@@customerId@@ | Customer ID |
@@customerCode@@ | Customer code |
@@customerName@@ | Customer name |
Application:{APPLICATIONKEY}:LoginFailedRedirectUrlOptional
Default:/LoginFailed
The user is redirected to this URL if the login failed.
The query parametererrorprovides the error code of the error that caused the failed login. The following default OIDC error codes are possible:access_denied,login_failed,general_error
The query parametererror_descriptionprovides a description of what caused failed login.For example:
/LoginFailed?error=access_denied&error_description=User not found
Customer settings
You must set either CustomerCode or Claims.CustomerCode. The application doesn’t start if both or neither are set.
CustomerCodeOptional
Default:string.EmptyConstant CustomerCode value for all logins (Single Customer Setup).
Claims.CustomerCodeOptional
Default:string.Empty
CustomerCode will be read from this claim (Multi Customer Setup).
User settings
You must set either Claims.ExternalUserId or GrassfishCustomUserIdAttribute. The application doesn’t start if both or neither are set.
CreateUserIfNotExistsOptional
Default:false
If this is set totrue, a new user is created if no existing user can be found.Claims.ExternalUserIdOptional
Default:sub
The claim that contains the external user ID.GrassfishCustomUserIdAttributeOptional
Default:string.Empty
Instead of the user name, a custom user property can be used to identify the Grassfish user. Note thatCreateUserIfNotExistsdoesn’t work in combination with this setting.Claims.EmailOptional
Default:string.Empty
The claim that contains the user's email.Claims.FirstNameOptional
Default:string.Empty
The claim that contains the user's first name.Claims.LastNameOptional
Default:string.Empty
The claim that contains the user's last name.
Permission group settings
You must set either Claims.PermissionGroup or DefaultPermissionGroup if CreateUserIfNotExists is true. The application doesn’t start if both are set.
UpdatePermissionGroupForExistingUsersOptional
Default:false
If this is set totrue, the permission group is set at every login.Claims.PermissionGroupOptional
Default:string.Empty
The claim that contains the permission group name.DefaultPermissionGroupOptional
Default:string.Empty
A constant permission group name that is assigned to all new users.
User group settings
You must set either Claims.UserGroups or DefaultUserGroup if CreateUserIfNotExists is true. The application doesn’t start if both are set.
UpdateUserGroupsForExistingUsersOptional
Default:false
If this is set totrue, the user groups are synced at every login.Claims.UserGroupsOptional
Default:string.Empty
The claim that contains at least one user group name.DefaultUserGroupOptional
Default:string.Empty
A constant user group name that is assigned to all new users.UserGroupDelimiterOptional
Default:string.Empty
Multiple user group names can be provided in eitherDefaultUserGrouporClaims.UserGroups. They must be separated by theUserGroupDelimiter.
OpenID connect settings
OpenId:ConfigurationEndpointRequired
Default:string.Empty
Configuration file of the OpenID provider, for example:https://openidprovider/.well-known/openid-configurationOpenId:ClientIdRequired
Default:string.Empty
Client identifier valid with the identity provider.OpenId:ClientSecretRequired
Default:string.Empty
Client secret valid with the identity provider.OpenId:ScopeOptional
Default:openid profile
OpenID connect requests must contain theopenidscope value. If not, the behavior is entirely unspecified. Other scope values may be present.OpenId:ResponseTypeOptional
Default:code
OAuth 2.0 response type value that determines the authorization processing flow to use, including what parameters the endpoints return.OpenId:UseUserInfoEndpointOptional
Default:false
Usually the IdToken returned by theTokenEndpointcontains all necessary claims for the login. If that’s not the case, an additional request must be made to load the full user information from theUserInfoEndpoint.
Validation settings
Validation:ValidAudienceRequired
Default:string.Empty
Represents a valid audience used to check against the token's audience. It’s usually identical to theClientId.
For more additional validation settings, go to: https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters
Log settings
LogOpenIdProviderCommunicationOptional
Default:false
Logs the requests sent to the OpenID provider. This should only be used for troubleshooting as the requests may contain sensitive information.
.png?sv=2022-11-02&spr=https&st=2025-02-06T17%3A03%3A48Z&se=2025-02-06T17%3A18%3A48Z&sr=c&sp=r&sig=g%2F0nZmqcGh%2B%2BNXpkCOjMIVR2Lw8ggIhGRboJFbGTTaQ%3D)