Upgraded OIDC Flow
Built on top of OAuth 2.0, LoginRadius supports OpenID Connect to provide identity verification and authentication.
Open ID Connect allows clients to verify users' identities based on the authentication performed by an authorization server and obtain basic profile information about them. This standard is widely used for consumer-facing applications and federated identity scenarios.
Please refer to the OpenID Connect documentation for more information.
LoginRadius has released an upgraded version of the existing OIDC flows.
Benefits of upgraded OIDC
The updated OIDC flows include all the existing flows' features and some other features.
These features are:
-
JWT Format Access Token: In earlier OIDC flows, access tokens were returned in GUID format, which required an additional API call to convert them to JWT, often needed by applications expecting JWT tokens. With the new flows, access tokens are directly issued in JWT format, supporting both JWT- and GUID-based application requirements without extra steps.
-
Custom Audience in JWT claims: In previous flows, determining the intended audience of JWT claims was challenging. The new flows introduce a configurable Custom Audience parameter, allowing precise targeting of JWT claims to the appropriate applications.
-
Enhanced Configuration Options: Upgraded OIDC flows offer greater flexibility in configuration. You can now customize the issuer and manage metadata mappings, ensuring that the authentication response includes detailed and relevant claim information tailored to your application’s needs.
Transition from the existing flow to the new flow
Transitioning from the existing flow to the upgraded flow is very smooth and requires little effort.
If you are using LoginRadius's direct configurations, you need not change anything. The changes below need to be made only if you have hardcoded OIDC endpoints in your application.
To transition into upgraded flows, you just need to follow and be aware of the following things:
-
Update the Endpoints: As part of the upgrade, you will need to update the authorization, token, and other OIDC-related endpoints in your integration.
Start by reviewing the current endpoints configured in your application and replace them with the updated endpoints provided in the OIDC Discovery Document (.well-known/openid-configuration).The discovery endpoint is:
https://<<LoginRadius Site Name>>/service/oidc/<<OIDC App Name>>/.well-known/openid-configuration
-
Update the Client ID and Client Secret: As part of the upgrade, you must update the client_id parameter used in the OIDC endpoints and the client secret value wherever used.
Previously, this was set to the LoginRadius API key and secret. In the updated flow, it must be replaced with the Client ID and Secret of your OIDC application. This change ensures the receiving service can correctly validate the origin of the request and enforce client authentication based on the configured application.You can find the client ID in your OIDC configurations from the LoginRadius Admin Console.
-
Whitelist the Redirect URI: The updated OIDC endpoints include a redirect_uri parameter, which determines where the user is redirected after successful authentication.
To ensure a seamless redirection experience, you must whitelist this URI in your OIDC app configuration. To do so, navigate to the OIDC app in your admin console, look for the “Login Redirect URL” section, and add the redirect URL parameter here.
You can also set the “Logout Redirect URL” parameter. After logging out, the user will be redirected back to the URL configured in this section.
Note: No configuration changes in the Admin Console are required to initiate the upgrade to OIDC updated flows.
However, you have the flexibility to customize parameters such as issuer, audience, and others based on your business requirements to better align with your application's authentication and authorization needs.
Example
Here is a small example of what the changes will look like:
The existing OIDC Endpoint is:
https://cloud-api.loginradius.com/sso/oidc/v2/<<OIDC App Name>>/authorize
The updated OIDC endpoint will look like this:
https://<<LoginRadius Site>>/service/oidc/<<OIDC App Name>>/authorize