OpenID Connect security provider in Jitterbit App Builder
Introduction
The OpenID Connect security provider enables support for OpenID Connect 1.0. The security provider is capable of both authenticating users and authorizing web service requests.
The following data source types support OpenID Connect:
-
REST
-
OData
-
RDBMS (limited to supported CData providers)
Configuration
The OpenID Connect security provider supports the OpenID Connect Discovery protocol.
At a minimum, OpenID Connect requires:
-
Client credentials (
client_idandclient secret). -
OpenID Connect Issuer endpoint.
Authentication
The authentication properties determine the OAuth grant and authentication schemes.
-
Authentication Type: OpenID Connect.
-
Token Owner: Determines whether tokens are issued to individual users or to the client system. Options include:
-
User: Tokens are issued to individual users.
-
Client: Tokens are issued to the client system.
-
-
Token Delete On Sign Out: When enabled, App Builder deletes the stored token when the user logs out. Default: Disabled.
Endpoints
| Type | Description |
|---|---|
OpenID Connect Issuer |
The Issuer endpoint is used to resolve the Discovery endpoint and validate the security token. The Discovery document will be retrieved from the path /.well-known/openid-configuration beneath the Issuer endpoint. |
Properties
The OpenID Connect security provider supports the following additional parameters:
| Parameter | Default | |
|---|---|---|
ExpiresIn |
Access token expiry in seconds. Can be used if the token endpoint does not provide an expiry and the resource server does not return a 401 Unauthorized response when the access token has expired. |
|
LogPII |
False |
Indicates that personally identifiable information (PII) should be logged. This setting takes effect on startup. |
ReplaceIssuerTenantId |
False |
Indicates whether the issuer should be transformed, replacing the tenant ID placeholder with a claim value. This is a compatibility shim for Microsoft issuers which may contain a {tenantid} placeholder. |
Scopes |
openid profile |
Whitespace delimited list of OpenID Connect scopes. |
RefreshRequiresScopes |
False |
Indicates whether the scopes (scope) should be included in the request body sent to the token endpoint when refreshing the access token. |
Prompt |
(Since App Builder 4.57.) Lets administrators configure the OpenID Connect prompt parameter. Accepts a space-separated list of values from the following allowed values: none, consent, login select_account. |
|
AuthorizationEndpointParameters |
(Since App Builder 4.57.) Lets administrators inject URL parameters when redirecting to the authorization server (for example, &access_type=offline). This parameter follows the same rules as the OAuth security provider’s TokenEndpointParameters property. |
Claims
OpenID Connect security tokens are JSON Web Tokens (JWT). JWTs consist of a collection of claims. (See [Standard Claims]https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims in the OpenID Connect documentation.)
The following table describes the default claim mappings:
| Identifier | Purpose | Description |
|---|---|---|
sub |
Name Identifier | Unique, immutable identifier used to map the third-party identity to an App Builder user. |
preferred_username |
Name | User name. |
name |
Full Name | Full name. |
nickname |
Display Name | Friendly name. |
email |
Email Address | Email address. |
phone_number |
Phone Number | Phone number. |