Last updated December 19, 2025

Oidc (Section)#

Path: /profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc

OpenID Connect methods

Parameters#

Name	Type	Required	Default	Description
configuration-url	`uri`	required		The url to the openid-configuration document at theOpenID server (must end in ‘/.well-known/openid-configuration’)
client-id	`string`	required		The client-id, registered at the OpenID server
use-http-basic-authentication	`boolean`	optional	`false`	Send the client credentials using HTTP Basic authentication. When false, the credentials are sent in the request-body
scope	`string`	optional	`openid`	Scope to ask the OpenID server for, space separated
clock-skew	`uint32`	optional	`60`	The allowed clock-skew in seconds when validating the JWT from the OpenID Server
authentication-context-class-reference	`non-empty-string`	optional		The Authentication Context Class Reference (ACR) or authentication method that should be sent in the request to the OpenID Server
http-client	`leafref`	optional		A reference to the Http Client to use. If not defined, the default HTTP client is used
use-subject-for-login-hint	`boolean`	optional	`false`	If there is a previously authenticated subject, pass the subject as login_hint to the OpenID Server.
prompt-login	`enumeration`	optional		Setting controlling sending of prompt=login parameter. By default, it is not sent.
redirect-uri-override	`uri`	optional		An optional override of the redirect URI that will be used in the authorization requests. The OP will redirect to this URI, however the actual redirect URI of this authenticator will remain unchanged. This means that the authorization response has to be relayed to the actual redirect URI of this authenticator.

Subsections#

Name	Type	Description
client-authentication-method	OneOf	None
encrypted-id-token	Section	ID Token is expected to be encrypted
fetch-userinfo	Section	Fetch claims from the userinfo endpoint
parameter-mappings	Section	None

Was this helpful?