This topic describes how to configure single sign-on (SSO) based on OpenID Connect (OIDC).
For more information about the SSO protocols supported by Identity as a Service (IDaaS), see 2. Standard protocols.
OIDC Grant Types Supported by IDaaS
The following table describes the OIDC grant types supported by IDaaS. You can select more than one grant type.
Grant type | Description |
Client Credentials client_credentials | The OIDC Client Credentials grant type permits an application to exchange its client_id and client_secret in IDaaS for an access token from the server to call the Developer APIs provided by IDaaS for the application. You do not need to manually enable this grant type. If you enable the IDaaS API on the IDaaS API tab, this grant type is also enabled. |
Authorization Code authorization_code | Authorization Code is the most widely used logon mode for OIDC applications in IDaaS. An application delegates logon to IDaaS and parses the id_token value returned by IDaaS to complete logon verification. |
Refresh Tokens refresh_token | A refresh token is used to refresh the access token to extend the validity period of a session. Refresh Tokens are usually used together with the Authorization Code grant type. |
Device Flow device | Device Flow is often used to connect non-web applications to IDaaS to implement SSO. Device Flow allows users to log on to the applications in a browser when a device is unable to display the IDaaS logon page. |
For common enterprise web applications, we recommend that you select both the Authorization Code and Refresh Tokens grant types.
For non-web applications, we recommend that you select both the Device Flow and Refresh Tokens grant types.
If you want to use a grant type other than the grant types described in the preceding table, submit your request. We will provide access to the grant type based on the urgency and importance of your request.
Configurations in IDaaS
| Parameter | Description | Example |
Basic Settings (required) | Grant Types | The grant type that you want to select for an application. You can select more than one grant type. | Authorization Code Refresh Tokens |
Redirect URIs | The whitelist of redirect URIs. This parameter defines where users land after successful logon or registration. Each redirect URI must be whitelisted. | http://www.example.com/oidc/sso http://www.example.com/oidc/sso2 | |
Authorize | For more information, see SSO overview. | All Users | |
Advanced Settings (optional) |
scopes | The identity information of a logged-on user that can be obtained by using the user information endpoint. You can select more than one type of information.
| openid profile |
PKCE | This parameter is available if you select Authorization Code in Grant Types. If this parameter is enabled, the Authorization Code grant type uses a more secure Proof Key for Code Exchange (PKCE) extension process. | Disabled by default | |
Code Challenge Method | This parameter is available if PKCE is enabled. It specifies how a code challenge is generated in the PKCE extension. | - | |
access_token Validity Period | An access token is used to request IDaaS API operations. The default value is 2 hours. After an access token expires, you must use a refresh token to refresh the token or log on again. | 2 hours | |
id_token Validity Period | An ID token is used to authenticate a user. The token is in the JSON Web Token (JWT) format. An ID token allows the application to authenticate a user by using a public key. After an ID token expires, you must use a refresh token to refresh the token or log on again. | 10 hours | |
refresh_token Validity Period | A refresh token is used to obtain a new access token or a new ID token. After a refresh token expires, users need to log on again. | 30 days | |
Change Lifetime for id_token
| You can extend the payload field of id_token to return non-sensitive user information. For more information, see Rules for the values of extended OIDC id_token fields. Note that fields added in payload are available to all users. Add fields as needed. | - | |
id_token Signing Algorithm | The asymmetric algorithm that is used to sign ID tokens. Only RSA-SHA256 is supported. | RSA-SHA256 | |
SSO Implemented By | This parameter specifies whether SSO is implemented by an application or on the IDaaS logon page. | Application Only | |
IDaaS Sign-In URL | If you set the SSO Implemented By parameter to IDaaS & Application, you can enter an IDaaS logon URL. If you want to access an application on the IDaaS logon page, enter the URL of the page where SSO can be implemented. If the URL receives logon requests, the requests are immediately redirected to the authorization endpoint. | - |
Configurations in applications
OIDC allows applications to use a set of standard and open IDaaS API operations to complete logon authentication.
The following table describes these open API operations.
Parameter | Description | Example |
Issuer | The source of the token specified by id_token. It is also the base URL of the following API operations. | https://xxxxx.aliyunidaas.com.cn/oidc1 |
Discovery Endpoint Discovery | The endpoint that is used to obtain metadata, such as a directory of endpoints, supported grant types, and parameters. The metadata is available to all users. | https://xxxxx.aliyunidaas.com.cn/oidc1/.well-known/openid-configuration |
Authorization Endpoint Authorization | The endpoint where the application requests SSO. | https://xxxxx.aliyunidaas.com.cn/oidc/authorize |
Token Endpoint Token | The endpoint that the application uses to obtain an access token after the application receives an authorization code. | https://xxxxx.aliyunidaas.com.cn/oidc/token |
Public Key Endpoint JWKS | The JSON Web Key Set (JWKS) endpoint that is used to verify the ID token and complete SSO. The public key cannot be rotated. | https://xxxxx.aliyunidaas.com.cn/oidc1/jwks |
UserInfo Endpoint Userinfo | The endpoint that is used to obtain basic user information by using an access token after logon. | https://xxxxx.aliyunidaas.com.cn/oidc1/userinfo |
End Session Endpoint SLO | The endpoint that is used to trigger SLO. | https://xxxxx.aliyunidaas.com.cn/oidc1/logout |