OpenID Connect

Introduction

Trustelem supports authorization code and implicit flows, as well as the OpenID Connect Discovery 1.1 standard.

If your application support the discovery standard

You need to configure the application with the following settings:

  • ClientID
trustelem.oidc.gi2dXXXX
  • ClientSecret
kmzHGEKEKFH51r0xXXXXXXXXXXXXX
  • Issuer
https://mydomain.trustelem.com/app/150XXX
  • Metadata URL (if required)
https://mydomain.trustelem.com/app/150XXX/.well-known/openid-configuration

If your application does not support the discovery standard

Additional parameters are necessary:

  • Authorize endpoint
https://mydomain.trustelem.com/app/150XXX/auth
  • Token endpoint
https://mydomain.trustelem.com/app/150XXX/token
  • User Info endpoint
https://mydomain.trustelem.com/app/150XXX/userinfo
  • JWKS
{"keys":[{"kty":"RSA","use":"sig","kid":"150XXX","alg":"RS256","n":"XXX...XXX","e":"AQAB"}]}

Note

  • RedirectURI: this URL has to be the same as the one defined in the application.

    For example, the URL could be: https://myapplication.tld/redirect_uri

  • Login URL: the application’s URL starting the OpenID Connect flow. It is used as a target to the application on the Trustelem user’s dashboard.

    For example, the URL could be: https://myapplication.tld/sso-login

  • For logging out users from inside the application, you have to associate a logout URL to an HTML element like a button or a link.

    This URL is defined by the redirect_uri with a logout= parameter and the post-logout URL in a URL-encoded format.

    For example, the logout URL could be: https://myapplication.tld/redirect_uri?logout=https%3A%2F%2Fmyapplication.tld

  • PostLogoutRedirectURI: the URL that indicates where to go after a logout. It is usually defined in the logout HTML element of your application.

    With the previous logout example, the PostLogout URL would be: https://myapplication.tld