Add OpenID Application

This section provides step-by-step instructions for creating a OpenID Connect application in Monokee. By following these instructions, you can configure the integration between a Relying Party (RP) and one of the OpenID Provider (OP) defined in your Monokee domain using OpenID Connect. This will allow you to delegate user authentication and authorization, simplifying access management for your application.

The following steps will guide you through the process of setting up a OpenID application:

Navigate to your Monokee custom fully qualified domain name (FQDN) or if you haven't set up a custom FQDN, go to Monokee's default page and enter your domain ID. Then, enter your login credentials to access your account.
Open the left sidebar and select Applications from the menu.
This will display a list of applications. To create a new application, click the Add button located in the top right corner of the table. Then, select OAuth Application and click Add.
Monokee will open the General Configuration step. Refer to the generic section of the application documentation for instructions on how to configure this section.
Click Next to proceed to the Client configurations step.
From the radio button, select OpenID option.
If you need to generate a refresh token, enable the check Require refresh token.
From the Provider name select, choose the provider you want to use with this Client. For example choose the Default OpenID Connect Provider defined in the Add OpenID Provider section.
Insert a Client ID and a Client secret that will be used as credentials for your Client. An example of these items is 010ad1fd-b6f6-4146-ae20-4b033afcabf4 and bTkmVebk1045sH@C.
From the Grant types select below, choose the grant types to make available. The values present depends on the provider selected before at step 8. For example for an authorization code grant type, choose authorization_code.
Select the Token endpoint authentication methods among those available. As for the previous step, values present in the select depends on the provider selected. You can use client_secret_basic to send client credentials with Basic authentication.
Fill in the Redirect URLs with one or more urls that can be used as redirect url to receive authorization code or, if implicit grant type is used, access token. The redirect uri is mandatory because Authorization Code flow has been selected in step 10. An example is https://example.org. Usually the redirect uri must be a valid url of your web application.
The following field Subject type can be used to specify the subject type of the client, if your client doesn't need a dedicated subject, you can select the value public.
In the Authentication section you can choose the flow that will protect the application, for a basic configuration, you can choose the default login flow of your domain.
In the Consent section, you can decide whether to enable consent and, if so, specify the consent flow that will be used. This field is optional and for a basic configuration you can select the checkbox Skip the consent screen to enable consent skip.
The section below Duration token/code (seconds), allows you to specify the duration in seconds of tokens and codes. If you don't have any special needs regarding the duration of the tokens, you can keep the default values.
The last card Scopes is dedicated to the definition of the scopes relating to the access token. In the Scope field you will find the scopes defined in the selected provider, field openid must always be present and additional scope can be added. For example if you set openid profile as scope, the claims returned are name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
In the last card of the page JWT configuration you can set signing and encryption parameters for ID token, response of user info endpoint response and request parameter of authorization request. The simplest configuration requires only field Signature Algorithm for IDToken and Signature Algorithm for Userinfo to be filled in by choosing the first of the available values, which are taken from the provider's configuration. For example, RS256 for Signature Algorithm for IDToken and none for Signature Algorithm for Userinfo.
Click Next to proceed to the Claims mapping step.
In the Claims mapping section, you can define scope and claim mappings and for each scope, whether to make it available in the ID token, user info, or both. For example, to associate the custom scope test with a claim test_claim that is mapped with the domain attribute username and to make the claim available on both ID token and user info endpoint response, you have to:
- select test in Scopes used in claims mapping
- select test_claim in Claims used in scopes mapping
- select username in Attributes available for mapping
- in Attribute mapping rule section click on New Rule, in the dialog opened:
  - select test_claim
  - click Add
  - select username
  - click Add
- in Claim section click Add, in the dialog opened
  - select test as Scope and test_claim as Associated claims
  - click Add
- in Claim location section click on the ID_TOKEN and USERINFO checkboxes for test_claim.
Click the bottom right corner Create button to create the application.
You can assign the application to an user as explained in the user management section and access to it using the authorization endpoint https://(new.monokee.com|<domain-custom-fqdn>)/oauth2/<provider-id>/authorize?redirect_uri=https%3A%2F%2Fexample.org&client_id=010ad1fd-b6f6-4146-ae20-4b033afcabf4&response_type=code&scope=test&state=<randomvalue>. To retrieve the application id for a newly created application, you can visit the application's page and look at the last portion of the browser URL. To retrieve the full url, you can visit the page of the OAuth provider configuration, select the provider you are using, and, in the ADVANCED tab, copy the Authorization endpoint value. Remember that to allow an user to grant a scope to a client you must assign the scope to the user as explain in the user management section.