How to configure OpenID Connect for Authentication

Overview

By default, a vFunction Server allows users to authenticate with a built-in OAuth username and password workflow. But, the vFunction Server’s authentication workflow can be modified to use third-party OpenID Direct Connect configurations.

Note that this authentication change does not authorize users to be able to access the applications on the vFunction Server. Before switching the authentication method, it is advisable to add the desired users to the vFunction server so these users are authorized. To add users to the vFunction Server:

  1. Create a CSV with the following formatting
app_name
user_mail
user_name
role
first_pwd
app1 charlott@mycompany.com Charlotte user Password1!
* admin@mycompany.com Admin admin Password1!
app1,app2 nikhil@mycompany.com Nikhil user Password1!
  1. Log into YOUR_VFUNCTION_SERVER/organization/team
  2. Select Import Users from the left-hand sidebar
  3. Click the blue Choose CSV File button
  4. Select the CSV that you created
  5. Open the file to import the users

Take the following steps to change the authentication workflow from this built-in OAuth username and password to integrate with an OpenID Connect identity provider:

  1. SSH to the vFunction Server
  2. Open the server-installation.yaml:
vi /etc/sysconfig/vfunction/installation/server-installation.yaml
  1. Uncomment and modify the server.authentication keys using the samples in the sections below as a guide
  2. Save and close the file.
  3. Run the install.sh script if configuring a new vFunction Server or the upgrade.sh script if modifying an existing vFunction Server:
### Installation Workflow
bash /opt/vfunction/server-installation/install.sh

### Upgrade Workflow
bash /opt/vfunction/server-installation/upgrade.sh

Note: Some values for the identity provider, such as the JWKS_URL, can be retrieved from the identity provider’s OpenID Connect Metadata Configuration Endpoint at https://<base_url>/.well-known/openid-configuration.

Azure Active Directory OIDC

Create a vFunction Application in Azure’s Portal

Take the following steps to configure a vFunction Application in Azure’s Portal:

  1. Login into the Azure Portal
  2. From the Menu Bar, select Add > App Registration
  3. In the text box, select a name for the Azure OIDC Application, such as, “vfunction”
  4. Under Supported Account Types, select who can use the new Azure OIDC Application, e.g. “Accounts in this organizational directory only”
  5. Under the Redirect URI (optional) header, select Single-page Application (SPA) in the Select a platform dropdown
  6. Type the following URLs into the text box next to Single-page application (SPA):
  • https:// $YOUR_VF_SERVER_ADDRESS/oauth/redirect: This is used when the authentication process is started from the vFunction Server UI
  • https:// $YOUR_VF_SERVER_ADDRESS: This is used when the authentication process is started from Microsoft Apps, e.g. m365.cloud.microsoft.com
  • https:// localhost/api/vfunction/plugins/vscode: This is used by the vFunction Visual Studio Code Extension for GenAI Prompt-based Refactoring
  1. Click the blue Register button
  2. In the left-hand sidebar, select API permissions under Manage
  3. Select the three-horizontal-dot submenu button next to user.read and select Remove permission
  4. Select Add a permission in the center pane
  5. Select Microsoft Graph from the right-hand dialog box under the Microsoft APIs header
  6. Select Delegated permissions
  7. Check the boxes next to email, openid, and profile
  8. Click the blue Add permissions button at the bottom of the dialog box
  9. Click the checkbox icon on the Configured Permissions Menu Bar to Add admin consent for $organizationName
  10. Click Yes in the confirmation dialog box
  11. In the left-hand sidebar, select Authentication under Manage
  12. Under Front-channel logout URL, input your vFunction Server’s address followed by /signout, e.g https:// $VF_SERVER_ADDRESS/signout
  13. Click the blue Save button
  14. Select Overview from the left-hand sidebar to gather the Tenant ID and Client ID
Configure the vFunction Server to use Azure OpenID

Replace the values “tenantID” and “clientId” below with the organization’s unique values.

Please note that, in most circumstances, Azure will not function properly if the clientSecret is added to an external connection like vFunction. Please start without a value in this field and, if required, add the clientSecret on the second attempt if the first attempt generates an error indicating that the clientSecret is missing.

server:
  authentication:
    authority: 'https://login.microsoftonline.com/tenantId/v2.0'
    client_id: 'clientId'
    client_secret: '' #Leave this field empty
    jwks_url: 'https://login.microsoftonline.com/tenantId/discovery/v2.0/keys'
    issuer: 'https://login.microsoftonline.com/tenantId/v2.0'

Google OpenID Connect (OIDC)

Create a vFunction Application in Google’s dashboard

Take the following steps to configure a vFunction Application in Google’s Dashboard:

  1. Visit the Google Console Dashboard
  2. Click Credentials in the left-hand sidebar
  3. Click Create Credentials at top of center pane
  4. Choose OAuth Client ID from the dropdown choices. Note that this might make you fill out the Consent Screen page if it hasn’t been done already
  5. Choose Web Application from the Application Type dropdown
  6. Give the OAuth Client a name in the text box for Name
  7. Click the ADD URI button under the Authorized JavaScript Origins** header. Input the vFunction Server’s Fully Qualified Domain Name (FQDN)
  8. Click the Add Redirect URIs header. Input the FQDN/oauth/redirect
  9. Click the Create button
  10. Copy the Client ID and Client Secret from the dialog box where they are displayed for use on the vFunction Server
Create a 2nd vFunction Application in Google’s dashboard for Visual Studio Code

Take the following steps to configure the vFunction Visual Studio Code Extension in Google’s Dashboard to be used with GenAI Prompts for refactoring code:

  1. Visit the Google Console Dashboard
  2. Click Credentials in the left-hand sidebar
  3. Click Create Credentials at top of center pane
  4. Choose OAuth Client ID from the dropdown choices. Note that this might make you fill out the Consent Screen page if it hasn’t been done already
  5. Choose Desktop Application from the Application Type dropdown
  6. Give the OAuth Client a name in the text box for Name
  7. Click the Create button
  8. Copy the Client ID and Client Secret from the dialog box where they are displayed as the Client Secret will not be accessible from this point forward. However, these values are not required for use with Visual Studio Code
Configure the vFunction Server to use Google OpenID Connect

Note that the values below are an example. The values below are provided by Google.

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://accounts.google.com'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://www.googleapis.com/oauth2/v3/certs'
    issuer: 'https://accounts.google.com'

KeyCloak OpenID Connect (OIDC)

Create a vFunction Application in Keycloak Admin Console
  1. Log into the Keycloak Admin Console
  2. In the General Settings, select Clients from the left-hand sidebar
  3. Select Create client blue button on the menu bar
  4. Select OpenID Connect in the Client Type dropdown
  5. Type a Client ID such as qa-vfunction
  6. Type a Name for the vFunction Client
  7. Click the Next blue button in the bottom center
  8. In the Capability Config, ensure Client authentication is toggled to Off
  9. Check Standard Flow checkbox in the Authentication Flow section
  10. Select S256 in the PKCE Method dropdown
  11. Click the Next blue button in the bottom center
  12. In the Login Settings, type the VF Server Address in the Root URL text box, e.g. https://vfunction.myorg.com
  13. Type the VF Server Address in the Home URL text box, e.g. https://vfunction.myorg.com
  14. Type $VF_SERVER_ADDRESS/oauth/redirect in the Valid redirect URIs text box
  15. Type $VF_SERVER_ADDRESS/signout in the Valid post logout redirect URIs text box
  16. Click the Save blue button in the bottom center
  17. Select Client scopes from the left-hand sidebar
  18. Confirm basic, email, and profile are set to Default in the Assigned type column
  19. Select Users from the left-hand sidebar
  20. Select a test user from the table
  21. Confirm the test user has a value in the Email field that matches the user authorized to the vFunction Server
  22. Add the Keycloak vFunction Client to the vFunction Server’s server-installation.yaml following the steps below
Add the Keycloak Client Details to the vFunction Server-installation.yaml

Note that the values below are an example. The values below are provided by KeyCloak.

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://{keycloak_base_url}/realms/{realm}'
    client_id: 'clientID-xyz'
    client_secret: '' # Do not add Client Secret
    jwks_url: 'https://{keycloak_base_url}/realms/{realm}/protocol/openid-connect/certs'
    issuer: 'https://{keycloak_base_url}/realms/{realm}'

Okta OpenID Connect

Create the vFunction App in the Okta Admin Console

In the steps below, replace the values, “yourOktaDomain” and “yourVFunctionServerAddress” with your organization’s values.

  1. In a browser, open https://${yourOktaDomain}/admin/apps/active
  2. Click the blue Create App Integration button at the top of the center pane
  3. Select the OIDC - OpenID Connect radio button for Sign-in method
  4. Select the Single-Page Application radio button for Application type
  5. Type vFunction in the text box for App integration name
  6. Check the boxes for both Authorization Code and Refresh Token for Grant type
  7. Type ${yourVFunctionServerAddress}/oauth/redirect for Sign-in redirect URIs
  8. Type ${yourVFunctionServerAddress} for Sign-out redirect URIs
  9. Set access as desired, e.g. Everyone in the organization
  10. Save the App
  11. Copy the Client ID to be able to use it in the vFunction server-installation.yaml
Create the vFunction App in the Okta Admin Console

The Okta examples below are taken from Okta’s documentation. Replace the values “yourOktaDomain”, “clientId” with your organization’s values.

server:
  authentication:
    authority: 'https://yourOktaDomain'
    client_id: 'clientId'
    ### Do not add the Client Secret. This field can be left blank
    client_secret: ''
    jwks_url: 'https://yourOktaDomain/oauth2/v1/keys'
    issuer: 'https://yourOktaDomain'

PingFederate OpenID Connect (OIDC)

Note that the values below are an example. The values below are provided by PingIdentity

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://<base_url>'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://<base_url>/pf/JWKS'
    issuer: 'https://<base_url>'

Debugging

Take the following steps to debug an issue with OpenID Direct Connect:

  1. Create the vFunction App in the OIDC Provider
  2. Add the OIDC Provider’s Configuration Settings to the vFunction Server-Installation.yaml
  3. Run the vFunction Server’s upgrade.sh script
  4. Open a browser with the F12 Network Console open
  5. Visit your vFunction Server
  6. The vFunction Server visits the site ISSUER/.well-known/openid-configuration to gather the URL for the authorization_endpoint. If you are never redirected to the login page of your OIDC provider, it’s most likely because the Issuer field is incorrect in the server-installation.yaml
  7. After logging in to your Identity Provider, you should be redirected back to the vFunction Server. If you are caught in a loop at this stage being bounced back and forth between the vFunction Server and your Identity Provider, it is probably due to a setting in the Identity Provider’s vFunction App. If you are redirected back to the vFunction Server and an error is generated on the vFunction Server, find the /token API call
  8. Copy the Encoded Token from the F12 Network Console
  9. Paste the Encoded Token into https://www.jwt.io to see the Decoded Headers. Look for unexpected values in the JSON to further debug

Updated on 06 May 2026