OpenID Connect integration
[]
HCMS Client comes with its own authentication and authorization functionality, but it can be also configured to work with one or more OpenID Connect providers.
Get to know OpenID Connect
If you are not yet familiar with the OpenID standard and its latest implementation - OpenID Connect - we highly recommend you to do so, as some of the OpenID-specific terms will be used throughout this document.
Unfortunately, the OpenID Foundation does not provide any extensive documentaiton, also for the reason that certain technical details can vary across providers. Therefore, you will need to refer to the official documentation of your selected provider to get this information.
Provider requirements
OpenID standard is quite flexible. Consequently, various providers support various features, but to be used with the HCMS Client, your provider must support a few basic ones:
- client authentication by client secret
- Authentication Code or Hybrid Flow, with refresh token enabled
- personal information provided as
id token
claims- in particular,
email
and/orpreferred_username
is required
- in particular,
- logout
- It is actually optional, but having no logout functionality would severely reduce overall security of the application.
- Some providers use non-standard endpoint for this purpose. In this case, a special support must be added in the code (which is already done for AWS Cognito).