OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. You can verify the identity of the end user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end user. You can use any provider that supports the OpenID Connect protocol.
This page contains the following information:
Configuring an OpenID Connect authentication provider
To add OpenID Connect on top of your OAuth2 configuration, enter the required information in the fields listed below.
Authentication Provider Information
- Name—enter a user-friendly name for the authentication provider.
- Provider Type—select OpenID Connect.
- Enabled—the provider is enabled by default. However, you can disable it.
- Site URL—set the URL that users enter in the browser to access an instance of Relativity.
Authentication Provider Settings
- OAuth2 Flow—select either Implicit or Code.
- Client ID—enter your application's ID.
- Display on Login Screen—determines if the OpenID Connect button displays on the login page.
- Login Screen Button Text—determines the text that appears on the button displayed on the login page.
- Authority URL—enter the URL that hosts the OpenID configuration well-known endpoint.
- Scopes—the default value for this field is openid. The openid checkbox must be selected because it's a required setting. However, you can also select the email or profile option.
The identity provider responds with the claims associated with the scopes that you request. In other words, the scopes translate into claims that you can use.
- Subject Claim Type—the default value for this field is sub. Enter one of the following values based on the scopes that you set:
- If you selected only OpenID in the Scopes field, this field must be set to sub.
- If you selected OpenID and email in the Scopes field, set this field to email.
- If you selected OpenID and profile in the Scopes field, set this field to a property available from the identity provider. These properties differ for each provider.
The identity provider sends an identity token to you, which contains the claims for your selected scopes. When you request only the openid scope, then sub is used as the claim type. It often represents a unique identifier for the user within your system. If you are using Azure AD, then see Microsoft identity platform ID tokens for a full list of token identifiers.
There are two authentication provider flows used with Relativity: code flow and implicit flow. Below are two images showing a detailed OpenID Connect authentication flow for both.