OpenID Connect¶
OpenID Connect (OIDC) is a standardized authentication protocol built on the OAuth 2.0 framework. It enables clients to verify end-user identities through an authorization server and provides access to basic user profile information.
OIDC serves as a bridge to identity providers, offering a unified framework to connect applications with providers like Virto Commerce, Google, or Microsoft. These providers securely authenticate users and share identity details using OIDC protocols.
In the Virto Commerce Platform, you can:
-
Use our individual identity modules for specific providers.
-
Use our OIDC module to support any or multiple providers simultaneously.
Key features¶
- Authentication: Ensures secure user authentication and authorization.
- Single Sign-On (SSO): Allows users to log in once and gain access to multiple applications.
- User information: Provides access to user profile information.
- Interoperability: Works with various identity providers like Google, Microsoft, and others.
- Security: Implements robust security measures to protect user data.
Use OIDC module for identity providers setup¶
Our OpenID module allows using any, all, or a combination of the existing providers. To start using our OpenID module:
- Download and install it.
- Configure the appsettings.json file.
The oidc
node in the appsettings.json file defines the settings for OpenID Connect authentication in Virto Commerce. This configuration enables integration with OIDC providers, allowing users to authenticate via external identity systems:
Node | Default value | Description |
---|---|---|
Enabled | false | Enables or disables the OIDC authentication. |
AuthenticationType | "oidc" | A unique identifier for the authentication method. |
AuthenticationCaption | "OpenID Connect" | A user-friendly name for the authentication method. |
AllowCreateNewUser | true | Allows creating new users upon successful authentication. |
DefaultUserType | "Manager" | Specifies the user type of newly created users. |
DefaultUserRoles | [] | List of roles assigned to newly created users. |
UserNameClaimType | "name" | Claim type used to retrieve the username. |
EmailClaimType | "email" | Claim type used to retrieve the email address. |
HasLoginForm | true | Displays a dedicated login form for this authentication method. |
Priority | 1 | Specifies the sorting order of the authentication method. |
LogoUrl | null | URL of the logo for the OpenID Connect authentication provider. |
Authority | "https://localhost:5001" | Base URL of the OIDC provider (identity server). |
ClientId | "your-client-id" | Client identifier issued by the OIDC provider. |
ClientSecret | "your-client-secret" | Confidential client secret issued by the OIDC provider. |
Scope | ["openid", "profile", "email"] | List of scopes requested from the OIDC provider. |
ResponseMode | "form_post" | Determines how the authorization response is returned. |
ResponseType | "id_token" | Specifies the type of response expected from the OIDC provider. |
GetClaimsFromUserInfoEndpoint | false | Enables retrieval of additional claims from the user info endpoint. |
CallbackPath | "/signin-oidc" | Path for redirection after successful authentication. |
SignedOutCallbackPath | "/signout-callback-oidc" | Path for redirection after successful logout. |
"oidc": {
"Enabled": true,
"AuthenticationType": "google",
"AuthenticationCaption": "Google",
"Authority": "https://accounts.google.com",
"ClientId": "your-client-id",
"ClientSecret": "your-client-secret",
"UserNameClaimType": "email"
}
Note
If you are using a single provider, you may not enter values for the callback paths. The system will use the default values.
"oidc": {
"Enabled": true,
"AuthenticationType": "microsoft",
"AuthenticationCaption": "Microsoft",
"Authority": "https://login.microsoftonline.com/your-tenant-id/v2.0",
"ClientId": "your-application-id",
"UserNameClaimType": "preferred_username"
}
Note
If you are using a single provider, you may not enter values for the callback paths. The system will use the default values.
"oidc": {
"Enabled": true,
"AuthenticationType": "virto",
"AuthenticationCaption": "Virto Commerce",
"Authority": "https://localhost:5001",
"ClientId": "your-client-id",
"ClientSecret": "your-client-secret",
"ResponseMode": "query",
"ResponseType": "code",
"GetClaimsFromUserInfoEndpoint": true
}
Note
If you are using a single provider, you may not enter values for the callback paths. The system will use the default values.
"oidc": [
{
"Enabled": true,
"AuthenticationType": "virto",
"AuthenticationCaption": "Virto Commerce",
"Authority": "https://localhost:5001",
"ClientId": "your-client-id",
"ClientSecret": "your-client-secret",
"CallbackPath": "/signin-virto",
"SignedOutCallbackPath": "/signout-virto"
},
{
"Enabled": true,
"AuthenticationType": "google",
"AuthenticationCaption": "Google",
"Authority": "https://accounts.google.com",
"ClientId": "your-client-id",
"ClientSecret": "your-client-secret",
"UserNameClaimType": "email",
"CallbackPath": "/signin-google",
"SignedOutCallbackPath": "/signout-google"
},
{
"Enabled": true,
"AuthenticationType": "microsoft",
"AuthenticationCaption": "Microsoft",
"Authority": "https://login.microsoftonline.com/your-tenant-id/v2.0",
"ClientId": "your-application-id",
"UserNameClaimType": "preferred_username",
"CallbackPath": "/signin-microsoft",
"SignedOutCallbackPath": "/signout-microsoft"
}
]
Note
If using multiple providers, make sure you use unique authentication types and callback paths for each.
You can now use the registered identity provider.