How to configure OpenID Connect for Authentication

Overview
Azure AD OIDC
Google OIDC
Okta OIDC
PingFederate OIDC

Overview

By default, a vFunction Server allows users to authenticate with a built-in OAuth username and password workflow. Take the following steps to change the authentication workflow from this built-in OAuth username and password to integrate with an OpenID Connect identity provider:

SSH to the vFunction Server
Open the server-installation.yaml:


vi /etc/sysconfig/vfunction/installation/server-installation.yaml

Uncomment and modify the server.authentication keys using the samples in the sections below as a guide
Save and close the file.
Run the install.sh script if configuring a new vFunction Server or the upgrade.sh script if modifying an existing vFunction Server:


### Installation Workflow


bash /opt/vfunction/server-installation/install.sh




### Upgrade Workflow


bash /opt/vfunction/server-installation/upgrade.sh

Note: Some values for the identity provider, such as the JWKS_URL, can be retrieved from the identity provider’s OpenID Connect Metadata Configuration Endpoint at https://<base_url>/.well-known/openid-configuration.

Azure Active Directory OIDC

Replace the values “tenantID”, “clientId”, and “clientSecret” below with the organization’s unique values.

server:
  authentication:
    authority: 'https://login.microsoftonline.com/tenantId/v2.0'
    client_id: 'clientId'
    client_secret: 'clientSecret'
    jwks_url: 'https://login.microsoftonline.com/tenantId/discovery/v2.0/keys'
    issuer: 'https://login.microsoftonline.com/tenantId/v2.0'

Google OpenID Connect (OIDC)

Note that the values below are an example. The values below are provided by Google.

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://accounts.google.com'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://www.googleapis.com/oauth2/v3/certs'
    issuer: 'https://accounts.google.com'

Okta OpenID Connect

The Okta examples below are taken from Okta’s documentation. Replace the values “yourOktaDomain”, “clientId”, and “clientSecret” with your organization’s values.

server:
  authentication:
    authority: 'https://yourOktaDomain/oauth2/v1/authorize'
    client_id: 'clientId'
    client_secret: 'clientSecret'
    jwks_url: 'https://yourOktaDomain/oauth2/v1/keys'
    issuer: 'https://yourOktaDomain/oauth2'

PingFederate OpenID Connect (OIDC)

Note that the values below are an example. The values below are provided by PingIdentity

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://<base_url>'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://<base_url>/pf/JWKS'
    issuer: 'https://<base_url>'

Updated on 23 Nov 2022