Configuring SSO with OIDC (OAuth 2.0)

The article explains how to configure Single Sign-On (SSO) with OIDC OAuth 2.0 in Yeeflow, simplifying user authentication.

Updated over a week ago

OAuth 2.0 is an industry-standard protocol for authorization, allowing users to grant access to their resources to third-party applications without revealing their credentials. Yeeflow supports OAuth 2.0 as a custom login method, enabling organizations to leverage popular OAuth 2.0 providers, such as Google, Microsoft, or Facebook, for user authentication.

Understanding OIDC and OAuth 2.0

OIDC (OpenID Connect) and OAuth 2.0 are related but distinct protocols used for different purposes in the context of identity management and authorization. Here's a breakdown of their differences:

OAuth 2.0:

OAuth 2.0 is an authorization framework that enables secure delegated access to resources on behalf of a resource owner (user). It provides a standardized way for users to grant limited access to their protected resources (such as user data or APIs) to third-party applications, without sharing their credentials directly. OAuth 2.0 is primarily focused on authorization and access control.

OAuth 2.0 involves multiple parties:

  1. Resource Owner: The user who owns the protected resources and authorizes access.

  2. Client: The application or service that wants to access the protected resources on behalf of the resource owner.

  3. Authorization Server: Issues access tokens to the client after obtaining authorization from the resource owner.

  4. Resource Server: Hosts the protected resources and validates access tokens to provide access to those resources.

OAuth 2.0 provides various grant types, such as Authorization Code, Implicit, Client Credentials, and Resource Owner Password Credentials, each designed for different scenarios. It relies on access tokens to grant access and may involve refresh tokens for long-term access.

OIDC (OpenID Connect):

OIDC is an identity layer built on top of OAuth 2.0. It adds an authentication component to OAuth 2.0, allowing applications to verify the identity of users in addition to obtaining authorization. OIDC is primarily focused on authentication and user identity.

OIDC introduces the concept of an identity provider (IdP), which authenticates users and provides identity information to clients. The most commonly used identity protocol within OIDC is JWT (JSON Web Tokens), which represents claims about the user and can be digitally signed and verified.

OIDC includes additional features compared to OAuth 2.0:

  1. Authentication: OIDC provides a standardized way for clients to authenticate users through the identity provider.

  2. User Info Endpoint: OIDC introduces an endpoint for clients to retrieve user attributes and profile information.

  3. ID Tokens: OIDC introduces ID tokens, which are JSON Web Tokens containing identity claims about the authenticated user.

In summary, OAuth 2.0 primarily focuses on authorization and access control, allowing clients to access protected resources. OIDC builds on top of OAuth 2.0 and adds authentication capabilities, providing a standardized way for clients to authenticate users and obtain identity information.

Configure OIDC

To configure OIDC user authentication as the custom login method for Yeeflow, you can follow these general steps:

1. Obtain OIDC Configuration Details:

Contact the OIDC provider or the administrator of the identity service you are integrating with Yeeflow. Request the necessary configuration details, including the following:

- Client ID: A unique identifier assigned to your Yeeflow instance by the OIDC provider.

- Client Secret: A confidential key or password associated with the Client ID.

- Property: Name: The value of the name property can be extracted from the identity token's claims. Depending on the IdP configuration, the name property may be represented by different claim names such as "name," "displayName," or "fullName."

- Property: Email: The email property represents the user's email address. It serves as a unique identifier and is commonly used for user communication and identification purposes. Similar to the name property, the email property can be extracted from the identity token's claims.

2. Access the Yeeflow Admin Center:

Log in to Yeeflow as a system administrator and navigate to the Yeeflow Admin Center.

3. Open Login Authentication Settings:

In the left navigation menu of the Admin Center, find the "Login Authentication" menu and click on it to open the page.

4. Add Custom Login Method:

Find the "Custom Login Method" section and click on the "Add Custom Login Method" button at the bottom.

5. Select OIDC as the Login Method:

From the drop-down list of available custom login methods, choose "OIDC (OAuth 2.0)" to configure OIDC as the method for user authentication.

6. Enter OIDC Configuration Details:

From the pop-up window, enter the required details you obtained from the OIDC provider:

- Name: Input a unique display name for this OIDC login method. This text will be display on the login page of your organization.

- Client ID: Paste the unique identifier assigned to your Yeeflow instance.

- Client Secret: Enter the confidential key or password associated with the Client ID.

- Response Type: The response type specifies the type of response that the client (Yeeflow) expects from the OIDC provider after a user's authentication attempt. It determines the flow of the authentication process and the type of tokens returned to the client. You may just leave is as the default "code".

- Scope: The scope parameter defines the level of access and the requested user information that the client (Yeeflow) requires from the OIDC provider. It specifies the permissions and claims that the client needs to retrieve during the authentication process. Commonly used scopes include:

  • openid: This scope is required for OIDC authentication. It indicates that the client is requesting an OpenID Connect authentication flow.

  • profile: This scope includes user profile information such as name, email, profile picture, etc.

  • email: This scope requests access to the user's email address.

  • offline_access: This scope allows the client to obtain a refresh token, which can be used to obtain new access tokens without requiring the user to re-authenticate.

You may just leave is as the default "email openid profile".

- Property: Name: Enter the URL where Yeeflow can retrieve user name.

- Property: Email: Enter the URL where Yeeflow can retrieve user email.

- Callback URL: The Callback URL, also known as the Redirect URL or Reply URL, is a crucial component of the OIDC (OpenID Connect) configuration. It represents the URL to which the OIDC provider will redirect the user after successful authentication or when an authentication error occurs. The Callback URL is an endpoint within the client application (in this case, Yeeflow) that handles the response from the OIDC provider.

You need to copy this URL and configure it to the OIDC provider.

7. Save and Test Configuration:

Click the "Verify and save" button to save the OIDC configuration. Yeeflow will attempt to validate the configuration by connecting to the OIDC provider and performing a test authentication. If the configuration is valid, Yeeflow will display a success message.

8. Enable the OIDC Login Method:

After successfully saving the OIDC configuration, find the OIDC method in the "Custom Login Method" section and enable it by clicking the enable button from the more operation menu list.

9. Adjust Other Login Settings (if necessary):

You can further customize the login experience by configuring other settings such as default login method, login page customization, or enabling multi-factor authentication (MFA).

By following these steps, you can configure OIDC user authentication as the custom login method for Yeeflow. Users will be able to authenticate using their OIDC credentials and access Yeeflow with their OIDC identity.


Did this answer your question?