How to configure OpenID Connect for Authentication

Overview

By default, a vFunction Server allows users to authenticate with a built-in OAuth username and password workflow. But, the vFunction Server’s authentication workflow can be modified to use third-party OpenID Direct Connect configurations.

Note that this authentication change does not authorize users to be able to access the applications on the vFunction Server. Before switching the authentication method, it is advisable to add the desired users to the vFunction server so these users are authorized. To add users to the vFunction Server:

  1. Create a CSV with the following formatting
app_name
user_mail
user_name
role
first_pwd
app1 charlott@mycompany.com Charlotte user Password1!
* admin@mycompany.com Admin admin Password1!
app1,app2 nikhil@mycompany.com Nikhil user Password1!
  1. Log into YOUR_VFUNCTION_SERVER/organization/team
  2. Select Import Users from the left-hand sidebar
  3. Click the blue Choose CSV File button
  4. Select the CSV that you created
  5. Open the file to import the users

Take the following steps to change the authentication workflow from this built-in OAuth username and password to integrate with an OpenID Connect identity provider:

  1. SSH to the vFunction Server
  2. Open the server-installation.yaml:
vi /etc/sysconfig/vfunction/installation/server-installation.yaml
  1. Uncomment and modify the server.authentication keys using the samples in the sections below as a guide
  2. Save and close the file.
  3. Run the install.sh script if configuring a new vFunction Server or the upgrade.sh script if modifying an existing vFunction Server:
### Installation Workflow
bash /opt/vfunction/server-installation/install.sh

### Upgrade Workflow
bash /opt/vfunction/server-installation/upgrade.sh

Note: Some values for the identity provider, such as the JWKS_URL, can be retrieved from the identity provider’s OpenID Connect Metadata Configuration Endpoint at https://<base_url>/.well-known/openid-configuration.

Azure Active Directory OIDC

Create a vFunction Application in Azure’s Portal

Take the following steps to configure a vFunction Application in Azure’s Portal:

  1. Login into the Azure Portal
  2. From the Menu Bar, select Add > App Registration
  3. In the text box, select a name for the Azure OIDC Application, such as, “vfunction”
  4. Under Supported Account Types, select who can use the new Azure OIDC Application
  5. Click the blue Register button
  6. In the Essentials center pane, click the link to Add a Redirect URI
  7. Under Platform configurations, select Add a platform
  8. Under Web Applications, select Single-page Application
  9. Under Redirect URI, input your vFunction Server’s address followed by /oauth/redirect, e.g. https://vfunction.mycompany.com/oauth/redirect
  10. Under Front-channel logout URL, input your vFunction Server’s address followed by /signout, e.g https://vfunction.mycompany.com/signout
  11. Under Implicit grant and hybrid flow, check the box for Access Tokens
  12. Click the blue Configure button
Configure the vFunction Server to use Azure OpenID

Replace the values “tenantID” and “clientId” below with the organization’s unique values.

Please note that, in most circumstances, Azure will not function properly if the clientSecret is added to an external connection like vFunction. Please start without a value in this field and, if required, add the clientSecret on the second attempt if the first attempt generates an error indicating that the clientSecret is missing.

server:
  authentication:
    authority: 'https://login.microsoftonline.com/tenantId/v2.0'
    client_id: 'clientId'
    client_secret: '' #Leave this field empty
    jwks_url: 'https://login.microsoftonline.com/tenantId/discovery/v2.0/keys'
    issuer: 'https://login.microsoftonline.com/tenantId/v2.0'

Google OpenID Connect (OIDC)

Note that the values below are an example. The values below are provided by Google.

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://accounts.google.com'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://www.googleapis.com/oauth2/v3/certs'
    issuer: 'https://accounts.google.com'

Okta OpenID Connect

Create the vFunction App in the Okta Admin Console

In the steps below, replace the values, “yourOktaDomain” and “yourVFunctionServerAddress” with your organization’s values.

  1. In a browser, open https://${yourOktaDomain}/admin/apps/active
  2. Click the blue Create App Integration button at the top of the center pane
  3. Select the OIDC - OpenID Connect radio button for Sign-in method
  4. Select the Single-Page Application radio button for Application type
  5. Type vFunction in the text box for App integration name
  6. Check the boxes for both Authorization Code and Refresh Token for Grant type
  7. Type ${yourVFunctionServerAddress}/oauth/redirect for Sign-in redirect URIs
  8. Type ${yourVFunctionServerAddress} for Sign-out redirect URIs
  9. Set access as desired, e.g. Everyone in the organization
  10. Save the App
  11. Copy the Client ID to be able to use it in the vFunction server-installation.yaml
Create the vFunction App in the Okta Admin Console

The Okta examples below are taken from Okta’s documentation. Replace the values “yourOktaDomain”, “clientId” with your organization’s values.

server:
  authentication:
    authority: 'https://yourOktaDomain'
    client_id: 'clientId'
    ### Do not add the Client Secret. This field can be left blank
    client_secret: ''
    jwks_url: 'https://yourOktaDomain/oauth2/v1/keys'
    issuer: 'https://yourOktaDomain'

PingFederate OpenID Connect (OIDC)

Note that the values below are an example. The values below are provided by PingIdentity

The client_id and client_secret will be unique to each environment.

server:
  authentication:
    authority: 'https://<base_url>'
    client_id: 'clientID-xyz'
    client_secret: 'clientSecret-xyz'
    jwks_url: 'https://<base_url>/pf/JWKS'
    issuer: 'https://<base_url>'

Updated on 06 Nov 2025