Orchestrator reference
Configuration reference
Connectors
OIDC

OIDC

The OIDC Connector provides a way for Maverics to interact with any OIDC provider. The Connector automatically fetches the information from oidcWellKnownURL and uses the provided API endpoints to authenticate users and perform session validation.

By default, the OIDC connector follows the Authorization Code Flow with Proof Key for Code Exchange (PKCE). If the OIDC provider does not support PKCE, set the disablePKCE option to true.

Configuration options

The following values can be provided to the OIDC Connector via the Maverics configuration file.

OAuth Client ID

oauthClientID is the client ID of the Maverics application registered in the OIDC provider organization.

OAuth Client Secret

oauthClientSecret is the client secret used to register the Maverics application with the OIDC provider.

OAuth Login Redirect

oauthLoginRedirect is used to define login redirect callback URLs.

It defines the urls that the OIDC provider will use to redirect the client back to after authentication. The urls must be absolute URLs and match exactly with one of the registered URLs on the provider. If no matches are found during the auth flow, the first URL from the urls list will be used.

The orchestrator will serve the callback handlers on all URLs specified in the urls field under this section.

ℹ️
The urls paths should not conflict with the path of any application resources. The path can be arbitrary (e.g. /maverics-oidc or /oidc-handler).

OIDC Well-known URL

oidcWellKnownURL is the URL that returns OpenID Connect metadata about the OIDC provider authorization server.

OAuth Logout Redirect

oauthLogoutRedirect is used to define urls that an OIDC provider will use to redirect the client back to the application after logging out the user.

The urls must be absolute URLs and match exactly with one of the registered URLs on the provider. If no matches are found during the logout flow, the first URL from the urls list will be used.

The orchestrator will serve the callback handlers on all URLs specified in the urls field under this section.

ℹ️
The urls paths should not conflict with the path of any application resources. The path can be arbitrary (e.g. /oidc-logout or /logout-handler).

Disable PKCE

disablePKCE disables the Proof Key for Code Exchange (PKCE) extension (enabled by default).

Offline Access

offlineAccess is an optional configuration that allows the OIDC connector to refresh the access and ID tokens using a valid refresh token. This is useful for long-lived sessions where the access or ID token may expire, but the user is still authenticated. Upon a successful token refresh, a user’s session attributes will be updated with the latest claims. The minimal allowed refresh interval is 10 seconds.

ℹ️

In the case the underlying OIDC provider returns an authentication related error during a background refresh, the user’s session will be invalidated and the user will be required to re-authenticate. This is done out of an abundance of caution and to handle cases in which the user or OIDC client have been removed from the IDP.

This feature currently offers limited support for OIDC applications. For assistance, please contact Maverics support. It is fully compatible with proxy and SAML applications.

Enabled

enabled is a boolean flag that indicates whether the offline access feature is enabled or not. If set to true, the connector will attempt to use the refresh token to obtain a new tokens before the current ones expire.

ℹ️
To make sure policy evaluations always use the latest information, set your policy’s decision.lifetime slightly longer than the interval for token refreshing. Avoid using negative decision lifetimes unless necessary, as they disable policy caching and can hurt performance. Please see the proxy app documentation for more details.

Scopes

scopes is the scopes requested as part of the OIDC authentication flows. If not defined, it defaults to openid profile email.

Health Check

healthCheck defines an optional health check for the connector. This option is required when using the connector in an IDP-continuity scenario. For more info on how to define the health check, please see the docs.

Examples

OIDC Connector Configuration 

connectors:
  - name: mavericsOIDC
    type: oidc
    oidcWellKnownURL: https://example.com/.well-known/openid-configuration
    oauthClientID: exampleID
    oauthClientSecret: exampleSecret
    oauthLoginRedirect:
      urls:
        - https://host1.example.com/oidc
        - https://host2.example.com/oidc
    oauthLogoutRedirect:
      urls:
        - https://host1.example.com/logout
        - https://host2.example.com/logout
    disablePKCE: false
    scopes: openid profile email custom-scope
    offlineAccess:
      enabled: false
MySQLOkta