Hi All,

I understand that to trigger OIDC flow, the template URL is https://<Relying Party reverse proxy:port>/<junction name>/sps/oidc/rp/< Relying Party federation name>/kickoff/< Relying Party partner>?Target=https://<TargetURL>

But how I can trigger OIDC flow in mobile APP. I used AppAuth in github to test. The app require 2 URL, authorize endpoint and token endpoint. Currently I used this 2 links, https://<reverse proxy:port>/mga/sps/oauth/oauth20/authorize as authorize endpoint and https://<reverse proxy:port>/mga/sps/oauth/oauth20/token as token endpoint.

Thank you.

Hello Jiakai,

The above template URL that you have described would be the Relying Party initiation URL.

To initiate directly at the OpenID Connect Provider you'd want to use the following format:

https://<oidc-provider-reverse-proxy:port>/mga/sps/oauth/oauth20/authorize?client_id=client_id&scope=openid%20scope1%20scope2&response_type=response_type&redirect_uri=redirect_uri&state=state

Unfortunately, since the 'state' is a required parameter as per OIDC specification and since it's randomly generated by the OIDC RP if you initiate this via the OIDC Connect Provider and you are using the ISAM Federation OIDC RP it will throw an invalid state parameter as the state will not match. There is an advanced configuration that allows you to make 'authorize' requests without a state parameter but that is not allowed as per the OIDC specification linked above.

You must have a State parameter and it must be determined by the OIDC RP meaning that you can't perform IdP initiated for OIDC flows using the Federation module.

Respectively, you can derive the values for the query parameters as such:

A) client_id

• Navigate to 'Secure Federation -> Manage -> Federations'
• Select your OIDC RP Federation and click 'Partners'
• Select the Partner in question and click 'Edit'
• Navigate to the 'Client Credentials' page in the Partner configuration menu and use the value for 'Client ID'

B) scope:

• Navigate to 'Secure Federation -> Manage -> Federations'
• Select your OIDC RP Federation and click 'Partners'
• Select the Partner in question and click 'Edit'
• Navigate to the 'Scope' Page of the Partner Configuration
  • To create the 'value' for this query parameter separate each configured scope with '%20' which is the URL Encoded space value
  • A minimum scope of 'openid' is required

C) response_type

• Navigate to 'Secure Federation -> Manage -> Federations'
• Select your OIDC RP Federation and click 'Edit'
• Navigate to the 'Basic Configuration' page in the Federation Configuration and create the 'value' by separating the checked values of 'Default Response Types' with '%20'
  • A table of acceptable values can be found here:
    • https://openid.net/specs/openid-connect-core-1_0.html#Authentication

D) redirect_uri

• This is crafted by ISAM using the following formula:
  • https://<oidc-rp-reverse-proxy:port>/<junction>/sps/oidc/<oidcrp-federation-name>/redirect/<oidcrp-federation-partner-name>
    • The whole value for 'redirect_uri' must be URL encoded

So, even though you can craft the URL yourself it looks like it's not possible to start from the OIDC OP endpoint as the state will not match on the OIDC RP endpoint.