Skip to main content

Configure Federated OIDC Provider

Configuring the relationship between the RSA and the Federated OIDC Provider

In a Federated OIDC Provider RSA, the RSA delegates user authentication and user details to a 3rd party OAuth Provider. Its own access tokens and other OAuth materials are linked to corresponding access tokens/refresh tokens/ materials at the 3rd party OAuth Provider. See the image below for more details:

RSA Overview

The RSA must be registered as an OAuth Client of the Federated OIDC Provider. This relationship is managed in the RSA's database through the oauth_provider table.

The following configuration controls which OAuth Provider will act as the federated OIDC Provider. The RSA may have many OAuth Providers (each Authorization Server for example is an OAuth Provider), but only one manages user authentication. fpx.oidc.provider.self-hosted must be set to 'false' and fpx.oidc.provider.federated must be 'true'. This ensures that authentication (for connecting a resource owner with the data-source/RSA of their choice) is handled by the Federated Provider and not self-hosted at the RSA itself. The exact provider is controlled by the fpx.oidc.provider.federated.federated_issuer value, which must match exactly with the issuer_uri column in the corresponding database entry. The fpx.oidc.provider.federated.client_id must be the OAuth Client ID for the RSA-OIDC to authenticate to the federated provider.

fpx.oidc.provider.federated.useDownstreamToken must be set to 'true' as it enables the RSA to recognize that it must use the access tokens issued by the federated provider at the last step of the flow when the resource is requested. If the access token has expired, the RSA will check whether any refresh tokens were issued along side the access token (which has since expired). If a refresh token was found, the RSA will subsequently attempt to refresh the access tokens as outlined by https://tools.ietf.org/html/rfc6749#page-47.

fpx:
oidc:
provider:
self-hosted:
enabled: false
federated:
enabled: true
client_id: example-client-id
federated_issuer: https://example-issuer-url.com
useDowntreamToken: true
client:
callback: /oidc/callback

Database Configuration for Federated OIDC Provider:

A database entry must exist in the oauth_provider table detailing the credentials used by the RSA against the Federated OIDC Provider as well as the scopes being requested. There are currently no admin capabilities for adding these entries. A simple SQL insert is shown below adding the provider with three example scopes - openid, profile and email.

INSERT INTO oauth_provider (id, version, date_created, last_updated, client_authentication_method, client_id, client_secret, default_scopes, issuer_uri, name) 
VALUES (1, 1, now(), now(), "client_secret_post", "example-client-id", "example-client-secret", "openid profile email", "https://example-issuer-url.com", "example-name");

Note: private_key_jwt is the preferable option for client_authentication_method as the RSA's authentication method against any OAuth Provider as long as that provider can support Private Key Authentication.