Configure OpenID Connect Authentication

OpenID Connect is an identity authorization layer which supplements the OAuth 2.0 protocol.

Important
Fusion’s OpenID Connect security realm has been tested with Google and Okta.

Configuration

Use the Realms API to configure this realm type:

curl -u user:pass -H 'content-type:application/json' -X POST http://<fusion-url>:6764/api/realm-configs -d @./realm-config.json

Below is a sample configuration:

  {
    "realmType": "oidc",
    "name": "{your_oidcName}",
    "enabled": true,
    "roleNames": [
        "admin"
     ],
    "config": {
      "autoCreateUsers": true,
      "groups": {
        "roleMapping": [
          [
            "role_user",
            "admin"
          ]
        ]
      },
      "code": {
        "clientSecret": "{your_clientSecret}",
        "redirectUri": "{your_redirectUri}",
        "authorizationUri": "{your_authorizationUri}",
        "tokenUri": "{your_tokenUri}"
      },
      "clientId": "{your_clientId}",
      "jwkSetUri": "{your_jwkSetUri}",
      "userIdAttribute": "email",
      "scope": [
        "openid",
        "email",
        "profile"
      ]
    }
  },

Required fields

Field Description Example

name

Name of the OIDC realm.

oidc.

clientSecret

A secret value shared between the application and the authentication server.

N/A

redirectUri

The URI to which the user will be redirected to after logging in.

http://{fusion-url}:6764/admin

authorizationUri

The authorization server URI.

https://${yourOktaDomain}/oauth2/default/v1/authorize

tokenUri

The URI to get access token from.

https://${yourOktaDomain}/oauth2/default/v1/token

clientId

A unique value which identifies the client.

N/A

jwkSetUri

The URL of the authorization server’s JSON Web Key Set (JWKS).

https://${yourOktaDomain}/oauth2/default/v1/keys

Google authentication

For authenticating with Google, use Google’s OpenID Configuration to retrieve the required values for authorizationUri, tokenUri, jwkSetUri, and issuer.

Okta authentication

OpenID Connect authentication with Okta involves mapping Okta groups to Fusion roles. The Okta group information can be retrieved from Okta’s admin view:

  1. Navigate to API > Authorization Server

  2. Select the server you’ll configure for mapping

  3. In the Scope menu, add the authentication groups

  4. In the Claims menu, add new claim groups with ID token and set regexp to .*, which will expose all groups