OpenID Connect provider
The Oidc application that is installed at https://<hostname>/SPSSMR/Oidc is an OpenID Connect provider that authenticates users and provides an access token for use with the Web API. The Web API contacts the Oidc application to make sure that the access token is valid and to get the identity of the user.
For each client application, create a client in DPM under \Site\Properties\Oidc\Clients, and then set the following properties. See also
Configuring the OAuth 2.0 clients.
Grant types
The OpenID grant type is configured by setting the Flow property in DPM; set its value according to the type of client:
|
Client
|
Value
|
|
An interactive login where the client can securely store the client secret.
For example: A .NET MVC application where the user is redirected with the authorization URL; they authenticate and are redirected back to the MVC application which is given an authorization code that it can exchange for an access token.
|
AuthorizationCode
|
|
An interactive login where the client can not securely store the client secret.
For example: A JavaScript client where all program code is effectively publicly available.
|
AuthorizationCodeWithProofKey (PKCE)
|
|
The client has, or can get, a username and password.
This flow is not recommended because the client needs to be trusted with access to the user credentials. The recommendation is that the user is redirected to the identity provider to enter their credentials. For a desktop application, it should start a browser session and use the AuthorizationCode or AuthorizationCodeWithProofKey flow.
|
ResourceOwner
|
|
The client is a computer, instead of a user.
The client computer authenticates itself by passing a secret value that is shared between the client and the OpenID Connect provider. The client must be able to securely store the secret value. This flow authenticates the client application, instead of a specific user.
|
ClientCredentials
|
The https://<hostname>/SPSSMR/Oidc/.well-known/openid-configuration endpoint provides information about the OpenID Connect Provider, including the “Auth” and “Token” URLs which are always https://<hostname>/SPSSMR/Oidc/connect/authorize and http://<hostname>/SPSSMR/Oidc/connect/token.
Scopes to request
▪If the client is obtaining the access token to use the Web API, request the “intelligence_web_api” scope.
▪If only the user identity is required, request the “openid” scope.
▪If the client requires extended use of the Web API without the user re-authenticating, request the “offline_access” scope. The client must be enabled for offline access by specifying the “offline_access” scope in the
AllowedScopes DPM property.
Interactive logins
For interactive logins, the AuthorizationCode or AuthorizationCodeWithProofKey flows, redirect the user to the “Auth URL” of the Oidc application. The user is redirected to the WsFed application to login.
▪If Integrated Windows Authentication is enabled, the user is redirected to the /SPSSMR/WsFed/WinLogin URL which asks the client (for example, the browser) for the user credentials. If the browser cannot supply them, the browser might ask the user for their Windows credentials. If the user clicks Cancel, the standard Interview Server Administration (ISA) login page opens.
▪If Windows Authentication is not enabled for the site, the standard Interview Server Administration (ISA) login page opens.
After the user has authenticated, they are redirected from the WsFed application back to the Oidc application, and then the Oidc application redirects back to the client application using the redirect URL that was specified as a query parameter to the original authorize request. The redirect back to the client application includes an authentication code as a query parameter. The client application can then exchange the authentication code for an access token using the “Token URL”.
Non-interactive logins
For non-interactive logins, the client can make a request straight to the “Token URL” to get an access token. The client in DPM must have the
EnableLocalLogin property set to True.
Lifetime of access tokens
The access token lasts for one hour (by default). After it expires, the Web API responds to all requests with a “401-Unauthorized” message. The client application should request a new token before the current token expires; if necessary, it should redirect the user to the “Auth URL” to re-enter their credentials.
To change the lifetime of the access token, set the client’s
AccessTokenLifetime property.
Alternatively, you can use refresh tokens by enabling the “offline_access” scope for the client and the client application requesting that scope. In that case, the Token URL response contains a refresh token in addition to the access token. The refresh token can be used to obtain new access tokens until the refresh token expires (the default lifetime is 30 days).
The Oidc OpenID Connect provider can authenticate users locally if the EnableLocalLogin property is set to True. If the Flow is AuthorizationCode or AuthorizationCodeWithProofKey, a login dialog opens. If
EnableLocalLogin is False, the user is redirected to an external identity provider to log in. By default, there is only a single external identity provider configured, “IntelligenceWsFed”, and the user is redirected to that provider. You can configure different or multiple external providers under \Site\Properties\Oidc\Providers. Both external OpenID Connect providers and WS-Federation identity providers are supported. The IdentityProviderRestrictions property restricts an individual client to a subset of the configured external providers. If multiple external identity providers are available to the client, the user is asked which one they want to use.
See