Skip to main content

Add OpenID Provider

This section contains step-by-step instructions for creating a OpenID Connect Provider (OP) in Monokee. The created provider will support also pure OAuth 2.0 protocol.

The following steps will guide you through the process of setting up a OAuth 2.0 Provider:

  1. Navigate to your Monokee custom fully qualified domain name (FQDN) or if you haven't set up a custom FQDN, go to Monokee's default page and enter your domain ID. Then, enter your login credentials to access your account.

  2. Open the left sidebar and select OAuth Providers from the menu.

  3. This will display a two-tab page, choose the OPENID PROVIDER tab. Click the Add button located in the top right corner.

  4. Within the presented modal, in the CORE tab, enter the desired Provider Name for your new provider, such as Default OpenID Connect Provider. Leave the Issuer and JWKS uri untouched.

  5. Flag the Display Metadata options to enable OpenID Provider Metadata. The provider information could be reached at this url: https://<(new.monokee.com/<domain_id>|<domain-custom-fqdn>)>/oauth2/<provider_id>/.well-known/openid-configuration>.

  6. In the Grant types supported option, you can select the specific grant types you wish to enable. In a standard configuration, it is advisable to choose all grant types except for password which is generally considered to be insecure and not recommended. Also the implicit grant type is considered insecure but in the OpenID Connect configuration must be checked to allow the use of Hybrid flow.

  7. In the Token endpoint authentication methods supported, Revoke endpoint authentication methods supported, Introspect endpoint authentication methods supported options, you can select the supported authentication method for each endpoints. In a standard configuration, it is advisable to choose all the options, except for none that allow to call endpoint without authentication.

  8. In the Supported response types section we suggest to enable the code, id_token, code id_token checkbox. In this way you allow the hybrid flow to release only authorization code and ID token, but not access token that must be exchanged with the use of the token endpoint to improve security.

  9. In the Supported code challenge methods section you can choose the challenge method supported by the Proof Key For Code Exchange (PKCE) variation of Authorization Code flow. We suggest to flag only S256 to improve security.

  10. In the Scopes section you can insert the needed scopes, openid is mandatory. For example, insert in the combobox the openid, profile, email, address, phone openid scopes and test and admin custom scopes.

  11. Click on the ADVANCED tab to see the full list of endpoints supported by the provider. It is important to note that, in most cases, these endpoints should remain unchanged, except for rare circumstances where endpoint overwriting is necessary.

  12. In a basic configuration check only the Claims parameter supported to allow direct issuing of claims without scopes.

  13. In the Supported response modes select choose all the options query, fragment and form_post to enable your provider to all scenarios.

  14. In the Supported subject types modes check both pairwise and public to enable your provider to all scenarios.

  15. In a basic configuration left Supported ACR values empty.

  16. Choose all the available options in the Supported claims combobox. You could also add custom claims. For example: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at, email, email_verified, address, phone_number, phone_number_verified, test_claim

  17. In the Supported languages for the interfaces insert your supported language, for example en-US and it-IT.

  18. Click on the SIGNING tab to configure signing options, here you can choose what algorithm are available for signing and configure the corresponding keys.

  19. For a standard configuration you can set none on both Signing algorithms for the userinfo object supported and Signing algorithms for the request supported options while in the Signature algorithms for the token ID supported option you must at least configure the RS256 value.

  20. Add the signing key for the previous chosen algorithm in the Signature section. Click the Add button and in the modal choose, for example, the RS256 method from the Select an algorithm for signing menu and click on the Generate Key Pair button. This will generate a couple of key pair for the given algorithm. You can also add public key and private key manually from the textbox.

21. Click on the **ENCRYPTION** tab to configure encryption options, here you can choose what algorithm are available for encryption and configure the corresponding keys.

  1. For a standard configuration choose RSA-OAEP-256 in the Encryption algorithms for the supported token ID option and A128GCM in the Content encryption algorithms for the supported token ID option. Leave the other options empty.

  2. Add the encryption key for the previous chosen algorithm in the Encryption section. Click the Add button and in the modal choose, for example, the RSA-OAEP-256 method from the Select an algorithm for encrypting the key menu and click on the Generate Key Pair button. This will generate a couple of key pair for the given algorithm. You can also add public key and private key manually from the textbox.

  3. Click the bottom right Save button to save the configuration.