To add an OpenID provider To add an OpenID providerField | Description |
Name | Name of an OpenID provider. API Gateway supports OpenID Connect (OIDC) identity tokens provided a standards-compliant OpenID provider. For example, Google, Salesforce. |
OpenID Connect discovery URL | The discovery endpoint of OpenID Connect. Note: When the discovery URL is specified, some of the fields are automatically populated with data provided in the URL. |
Token issuer endpoint | The endpoint URL of an OpenID token issuer used by API Gateway. |
Token endpoint | The endpoint URL of OpenID Provider's token (id_token) through which the client application exchanges the authorization code, client ID, and client secret, obtain ID tokens and refresh tokens. |
Authorization endpoint | The endpoint URL through which API Gateway authenticates and grants authorization to client applications. |
Scope | The specific set of end user identity information to include as claims in the ID tokens. |
Userinfo endpoint | Optional. The endpoint URL through which API Gateway retrieves the end user identity information to include as claims in the ID tokens. |
Include userinfo claims | Optional. Select the check box if you want to include the end user identity information as claims in the ID tokens. Note: Some of the OpenID Providers do not include the complete end user information in the ID tokens. In such cases, you could use this Include userinfo claims check box to include the complete user information. API Gateway generates a secondary ID token that includes the required user information as claims. The token also includes the application ID, and primary ID token, if client has specified the application ID in the GET OpenID token request to API Gateway. As a pre-requisite, you must have the JWT settings configured in API Gateway. For information about configuring JWT settings in API Gateway, see Configuring
API Gateway
to use JWT. |
JSON Web Key endpoint | The endpoint URL of JSON Web Key Signature (JWKS) through which API Gateway verifies and validates the signature of ID tokens. |
Truststore alias | Specify the Truststore alias, which can be used to verify the signature of an OpenID token from public certificates when the JSON Web Key endpoint is not specified. |
Response type | The authorization grant type to obtain authorization codes, ID tokens, and refresh tokens. Supported values:  codeid_tokentoken id_tokenid_token tokenThe value code indicates the authorization grant type is code, and an authorization code is returned in the response to obtain ID tokens and refresh tokens. The values id_token, token id_token, id_token token and indicate the grant type is implicit, and the ID tokens are directly sent to the client. |
Token endpoint authentication method | The client authentication method that API Gateway will use to communicate with the OpenID provider to fetch the ID token in exchange of an authorization code. Supported values: client_secret_basicclient_secret_post |
Display | Optional. The display type of user interface for end user authentication and consent flow. Supported values: nonepagepopuptouchwap |
Prompt | Optional. The display type of user interface prompt for end user reauthentication and consent flow. Supported values: noneloginconsentselect_account |
Client id | An identifier that is unique to the client application. |
Client secret | The password or phrase for the client application to use to authorize communication with the end user. |
Redirect hostname | The host name of the redirect endpoint of API Gateway that is configured in the OpenID Provider. |
Redirect port | The port number on which the redirect endpoint is listening for requests. |
Max age | Optional. The duration of time (in seconds) in which the end user must have been authenticated. If this time has expired, the OpenID provider must re-authenticate the end user. |
Locale | Optional. The display language of the user interface for end user authentication and consent flow. |