How to configure OpenID Connect for Authentication

Overview

By default, a vFunction Server allows users to authenticate with a built-in OAuth username and password workflow. But, the vFunction Server’s authentication workflow can be modified to use third-party OpenID Direct Connect configurations.

Note that this authentication change does not authorize users to be able to access the applications on the vFunction Server. Before switching the authentication method, it is advisable to add the desired users to the vFunction server so these users are authorized. To add users to the vFunction Server:

  1. Create a CSV with the following formatting
app_name
user_mail
user_name
role
first_pwd
app1 charlott@mycompany.com Charlotte user Password1!
* admin@mycompany.com Admin admin Password1!
app1,app2 nikhil@mycompany.com Nikhil user Password1!
  1. Log into YOUR_VFUNCTION_SERVER/organization/team
  2. Select Import Users from the left-hand sidebar
  3. Click the blue Choose CSV File button
  4. Select the CSV that you created
  5. Open the file to import the users

Take the following steps to change the authentication workflow from this built-in OAuth username and password to integrate with an OpenID Connect identity provider:

  1. SSH to the vFunction Server
  2. Open the server-installation.yaml:
vi /etc/sysconfig/vfunction/installation/server-installation.yaml
  1. Uncomment and modify the server.authentication keys using the samples in the sections below as a guide
  2. Save and close the file.
  3. Run the install.sh script if configuring a new vFunction Server or the upgrade.sh script if modifying an existing vFunction Server:
### Installation Workflow
bash /opt/vfunction/server-installation/install.sh

### Upgrade Workflow
bash /opt/vfunction/server-installation/upgrade.sh

Note: Some values for the identity provider, such as the JWKS_URL, can be retrieved from the identity provider’s OpenID Connect Metadata Configuration Endpoint at https://<base_url>/.well-known/openid-configuration.

Azure Active Directory OIDC

Create a vFunction Application in Azure’s Portal

Take the following steps to configure a vFunction Application in Azure’s Portal:

  1. Login into the Azure Portal
  2. From the Menu Bar, select Add > App Registration
  3. In the text box, select a name for the Azure OIDC Application, such as, “vfunction”
  4. Under Supported Account Types, select who can use the new Azure OIDC Application, e.g. “Accounts in this organizational directory only”
  5. Under the Redirect URI (optional) header, select Single-page Application (SPA) in the Select a platform dropdown
  6. Type https:// $YOUR_VF_SERVER_ADDRESS/oauth/redirect in the text box next to Single-page application (SPA)
  7. Click the blue Register button
  8. In the left-hand sidebar, select API permissions under Manage
  9. Select the three-horizontal-dot submenu button next to user.read and select Remove permission
  10. Select Add a permission in the center pane
  11. Select Microsoft Graph from the right-hand dialog box under the Microsoft APIs header
  12. Select Delegated permissions
  13. Check the boxes next to email, openid, and profile
  14. Click the blue Add permissions button at the bottom of the dialog box
  15. Click the checkbox icon on the Configured Permissions Menu Bar to Add admin consent for $organizationName
  16. Click Yes in the confirmation dialog box
  17. In the left-hand sidebar, select Authentication under Manage
  18. Under Front-channel logout URL, input your vFunction Server’s address followed by /signout, e.g https:// $VF_SERVER_ADDRESS/signout
  19. Click the blue Save button
  20. Select Overview from the left-hand sidebar to gather the Tenant ID and Client ID
Configure the vFunction Server to use Azure OpenID

Replace the values “tenantID” and “clientId” below with the organization’s unique values.

Please note that, in most circumstances, Azure will not function properly if the clientSecret is added to an external connection like vFunction. Please start without a value in this field and, if required, add the clientSecret on the second attempt if the first attempt generates an error indicating that the clientSecret is missing.

server:
  authentication:
    authority: 'https://login.microsoftonline.com/tenantId/v2.0'
    client_id: 'clientId'
    client_secret: '' #Leave this field empty
    jwks_url: 'https://login.microsoftonline.com/tenantId/discovery/v2.0/keys'
    issuer: 'https://login.microsoftonline.com/tenantId/v2.0'

Google OpenID Connect (OIDC)

Note that the values below are an example. The values below are provided by Google.

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://accounts.google.com'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://www.googleapis.com/oauth2/v3/certs'
    issuer: 'https://accounts.google.com'

Okta OpenID Connect

Create the vFunction App in the Okta Admin Console

In the steps below, replace the values, “yourOktaDomain” and “yourVFunctionServerAddress” with your organization’s values.

  1. In a browser, open https://${yourOktaDomain}/admin/apps/active
  2. Click the blue Create App Integration button at the top of the center pane
  3. Select the OIDC - OpenID Connect radio button for Sign-in method
  4. Select the Single-Page Application radio button for Application type
  5. Type vFunction in the text box for App integration name
  6. Check the boxes for both Authorization Code and Refresh Token for Grant type
  7. Type ${yourVFunctionServerAddress}/oauth/redirect for Sign-in redirect URIs
  8. Type ${yourVFunctionServerAddress} for Sign-out redirect URIs
  9. Set access as desired, e.g. Everyone in the organization
  10. Save the App
  11. Copy the Client ID to be able to use it in the vFunction server-installation.yaml
Create the vFunction App in the Okta Admin Console

The Okta examples below are taken from Okta’s documentation. Replace the values “yourOktaDomain”, “clientId” with your organization’s values.

server:
  authentication:
    authority: 'https://yourOktaDomain'
    client_id: 'clientId'
    ### Do not add the Client Secret. This field can be left blank
    client_secret: ''
    jwks_url: 'https://yourOktaDomain/oauth2/v1/keys'
    issuer: 'https://yourOktaDomain'

PingFederate OpenID Connect (OIDC)

Note that the values below are an example. The values below are provided by PingIdentity

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://<base_url>'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://<base_url>/pf/JWKS'
    issuer: 'https://<base_url>'

Updated on 05 Dec 2025