Skip to main content
Skip table of contents

OpenID Connect provider configuration

In each and every provider, the application needs to be registered as a client. Please note that some providers use the term "client", while others use the term "application". The exact configuration can be found in the third-party documentation, but we summed up a few must-haves that each provider configuration includes.

Client id

Client id is the unique identifier of your application inside the provider. You can choose it by yourself; it must be a string without any empty spaces. You will need to enter exactly the same value for the client id later in the HCMS Client configuration.

Please be aware that providers also allow you to give your client a name, but name is a different parameter that does not need to be unique or can contain empty spaces among other things.

Client secret

You need to generate the client secret inside the provider GUI; usually it will be a randomly generated string. You will need to enter exactly the same value for the client id later in the HCMS Client configuration.

Quite often, a specific option needs to be used to enable the client authentication. It can be called just "client authentication", or "credentials", or, in Keycloak, the option is called "Access Type" and must be set to "confidental".

Note that HCMS CSK does not support client authentication by private key infrastructure (PKI).

Application grant type and flow

The standard authorization flow with code grant must be enabled.

Accepted login redirect URLs

This is the URL leading back to the HCMS Client instance. Some providers allow wildcards, e.g., just https://<domain>/*, which is considered less secure though. Instead, you should use the following format: https://<domain>/oauth/<provider-id>/redirect. The provider-id in the path is the id of this provider in the HCMS Client configuration (see next sections).

Accepted logout redirect URL

This logout redirect URL should be provided in the following format: https://<domain>/oauth/after_logout . This only needs to be filled out if the feature - the logout redirect - is enabled in the HCMS Client configuration (logout_redirect set to true). The URL should be identical to the logout landing page set in the openid_landing/after_logout property in the HCSM Client configuration.

Provider-specific configuration

Please also read the notes on most popular OpenID providers to make sure you also enter correct provider-specific properties.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.