How to configure OpenID Connect for Authentication

Overview

By default, a vFunction Server allows users to authenticate with a built-in OAuth username and password workflow. But, the vFunction Server’s authentication workflow can be modified to use third-party OpenID Direct Connect configurations.

Note that this authentication change does not authorize users to be able to access the applications on the vFunction Server. Before switching the authentication method, it is advisable to add the desired users to the vFunction server so these users are authorized. To add users to the vFunction Server:

  1. Create a CSV with the following formatting
app_name
user_mail
user_name
role
first_pwd
app1 charlott@mycompany.com Charlotte user Password1!
* admin@mycompany.com Admin admin Password1!
app1,app2 nikhil@mycompany.com Nikhil user Password1!
  1. Log into YOUR_VFUNCTION_SERVER/organization/team
  2. Select Import Users from the left-hand sidebar
  3. Click the blue Choose CSV File button
  4. Select the CSV that you created
  5. Open the file to import the users

Take the following steps to change the authentication workflow from this built-in OAuth username and password to integrate with an OpenID Connect identity provider:

  1. SSH to the vFunction Server
  2. Open the server-installation.yaml:
vi /etc/sysconfig/vfunction/installation/server-installation.yaml
  1. Uncomment and modify the server.authentication keys using the samples in the sections below as a guide
  2. Save and close the file.
  3. Run the install.sh script if configuring a new vFunction Server or the upgrade.sh script if modifying an existing vFunction Server:
### Installation Workflow
bash /opt/vfunction/server-installation/install.sh

### Upgrade Workflow
bash /opt/vfunction/server-installation/upgrade.sh

Note: Some values for the identity provider, such as the JWKS_URL, can be retrieved from the identity provider’s OpenID Connect Metadata Configuration Endpoint at https://<base_url>/.well-known/openid-configuration.

Azure Active Directory OIDC

Create a vFunction Application in Azure’s Portal

Take the following steps to configure a vFunction Application in Azure’s Portal:

  1. Login into the Azure Portal
  2. From the Menu Bar, select Add > App Registration
  3. In the text box, select a name for the Azure OIDC Application, such as, “vfunction”
  4. Under Supported Account Types, select who can use the new Azure OIDC Application, e.g. “Accounts in this organizational directory only”
  5. Under the Redirect URI (optional) header, select Single-page Application (SPA) in the Select a platform dropdown
  6. Type https:// $YOUR_VF_SERVER_ADDRESS/oauth/redirect in the text box next to Single-page application (SPA)
  7. Click the blue Register button
  8. In the left-hand sidebar, select API permissions under Manage
  9. Select the three-horizontal-dot submenu button next to user.read and select Remove permission
  10. Select Add a permission in the center pane
  11. Select Microsoft Graph from the right-hand dialog box under the Microsoft APIs header
  12. Select Delegated permissions
  13. Check the boxes next to email, openid, and profile
  14. Click the blue Add permissions button at the bottom of the dialog box
  15. Click the checkbox icon on the Configured Permissions Menu Bar to Add admin consent for $organizationName
  16. Click Yes in the confirmation dialog box
  17. In the left-hand sidebar, select Authentication under Manage
  18. Under Front-channel logout URL, input your vFunction Server’s address followed by /signout, e.g https:// $VF_SERVER_ADDRESS/signout
  19. Click the blue Save button
  20. Select Overview from the left-hand sidebar to gather the Tenant ID and Client ID
Configure the vFunction Server to use Azure OpenID

Replace the values “tenantID” and “clientId” below with the organization’s unique values.

Please note that, in most circumstances, Azure will not function properly if the clientSecret is added to an external connection like vFunction. Please start without a value in this field and, if required, add the clientSecret on the second attempt if the first attempt generates an error indicating that the clientSecret is missing.

server:
  authentication:
    authority: 'https://login.microsoftonline.com/tenantId/v2.0'
    client_id: 'clientId'
    client_secret: '' #Leave this field empty
    jwks_url: 'https://login.microsoftonline.com/tenantId/discovery/v2.0/keys'
    issuer: 'https://login.microsoftonline.com/tenantId/v2.0'

Google OpenID Connect (OIDC)

Note that the values below are an example. The values below are provided by Google.

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://accounts.google.com'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://www.googleapis.com/oauth2/v3/certs'
    issuer: 'https://accounts.google.com'

KeyCloak OpenID Connect (OIDC)

Create a vFunction Application in Keycloak Admin Console
  1. Log into the Keycloak Admin Console
  2. In the General Settings, select Clients from the left-hand sidebar
  3. Select Create client blue button on the menu bar
  4. Select OpenID Connect in the Client Type dropdown
  5. Type a Client ID such as qa-vfunction
  6. Type a Name for the vFunction Client
  7. Click the Next blue button in the bottom center
  8. In the Capability Config, ensure Client authentication is toggled to Off
  9. Check Standard Flow checkbox in the Authentication Flow section
  10. Select S256 in the PKCE Method dropdown
  11. Click the Next blue button in the bottom center
  12. In the Login Settings, type the VF Server Address in the Root URL text box, e.g. https://vfunction.myorg.com
  13. Type the VF Server Address in the Home URL text box, e.g. https://vfunction.myorg.com
  14. Type $VF_SERVER_ADDRESS/oauth/redirect in the Valid redirect URIs text box
  15. Type $VF_SERVER_ADDRESS/signout in the Valid post logout redirect URIs text box
  16. Click the Save blue button in the bottom center
  17. Select Client scopes from the left-hand sidebar
  18. Confirm basic, email, and profile are set to Default in the Assigned type column
  19. Select Users from the left-hand sidebar
  20. Select a test user from the table
  21. Confirm the test user has a value in the Email field that matches the user authorized to the vFunction Server
  22. Add the Keycloak vFunction Client to the vFunction Server’s server-installation.yaml following the steps below
Add the Keycloak Client Details to the vFunction Server-installation.yaml

Note that the values below are an example. The values below are provided by KeyCloak.

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://{keycloak_base_url}/realms/{realm}'
    client_id: 'clientID-xyz'
    client_secret: '' # Do not add Client Secret
    jwks_url: 'https://{keycloak_base_url}/realms/{realm}/protocol/openid-connect/certs'
    issuer: 'https://{keycloak_base_url}/realms/{realm}'

Okta OpenID Connect

Create the vFunction App in the Okta Admin Console

In the steps below, replace the values, “yourOktaDomain” and “yourVFunctionServerAddress” with your organization’s values.

  1. In a browser, open https://${yourOktaDomain}/admin/apps/active
  2. Click the blue Create App Integration button at the top of the center pane
  3. Select the OIDC - OpenID Connect radio button for Sign-in method
  4. Select the Single-Page Application radio button for Application type
  5. Type vFunction in the text box for App integration name
  6. Check the boxes for both Authorization Code and Refresh Token for Grant type
  7. Type ${yourVFunctionServerAddress}/oauth/redirect for Sign-in redirect URIs
  8. Type ${yourVFunctionServerAddress} for Sign-out redirect URIs
  9. Set access as desired, e.g. Everyone in the organization
  10. Save the App
  11. Copy the Client ID to be able to use it in the vFunction server-installation.yaml
Create the vFunction App in the Okta Admin Console

The Okta examples below are taken from Okta’s documentation. Replace the values “yourOktaDomain”, “clientId” with your organization’s values.

server:
  authentication:
    authority: 'https://yourOktaDomain'
    client_id: 'clientId'
    ### Do not add the Client Secret. This field can be left blank
    client_secret: ''
    jwks_url: 'https://yourOktaDomain/oauth2/v1/keys'
    issuer: 'https://yourOktaDomain'

PingFederate OpenID Connect (OIDC)

Note that the values below are an example. The values below are provided by PingIdentity

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://<base_url>'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://<base_url>/pf/JWKS'
    issuer: 'https://<base_url>'

Debugging

Take the following steps to debug an issue with OpenID Direct Connect:

  1. Create the vFunction App in the OIDC Provider
  2. Add the OIDC Provider’s Configuration Settings to the vFunction Server-Installation.yaml
  3. Run the vFunction Server’s upgrade.sh script
  4. Open a browser with the F12 Network Console open
  5. Visit your vFunction Server
  6. The vFunction Server visits the site ISSUER/.well-known/openid-configuration to gather the URL for the authorization_endpoint. If you are never redirected to the login page of your OIDC provider, it’s most likely because the Issuer field is incorrect in the server-installation.yaml
  7. After logging in to your Identity Provider, you should be redirected back to the vFunction Server. If you are caught in a loop at this stage being bounced back and forth between the vFunction Server and your Identity Provider, it is probably due to a setting in the Identity Provider’s vFunction App. If you are redirected back to the vFunction Server and an error is generated on the vFunction Server, find the /token API call
  8. Copy the Encoded Token from the F12 Network Console
  9. Paste the Encoded Token into https://www.jwt.io to see the Decoded Headers. Look for unexpected values in the JSON to further debug

Updated on 25 Feb 2026