Skip to main content
Feedback

FAQs

The following are frequently asked questions for the OIDC Token Authentication Connector.

Q: Which IdPs are supported for OIDC access token?

A: The connector supports any third-party IDP that is OAuth2.0 compliant and supports OIDC. Any IDP, including legacy, that is compliant with https://openid.net/connect/ for managing the life cycle of OIDC tokens.

Q: Do different OAuth2.0 IDPs need different solutions?

A: The connector is agnostic to third-party IDP capable of generating and managing OIDC tokens.

Q: Does Cloud API Management act as a Relaying Party (RP) in the OIDC flow?

A: No. Consuming App continues to act as a Relaying Party (RP) and is responsible for initiating OIDC token fetching. Cloud API Management continues to act as a Gateway even when a third-party OIDC token endpoint is behind Cloud API Management.

Q: Does the OpenID Token Authentication connector support OpenID Connect end-to-end token validation flow?

A: OIDC-enabled IDP can return a JSON object with the ID token, an access token, and an optional refresh token. The ID token is in JWT format. The Client App simultaneously acts as an RP (Relaying Party) to access the backend API via the Cloud API Management platform, providing the ID token (JWT) in the Authorization header.

Q: Does the connector support acquiring or fetching third-party OIDC ID tokens?

A: The connector does not acquire third-party OIDC token for any grant types ('Client Credentials', 'Resource Owner Password', 'Implicit', 'Authorization Code'). Consuming client app acts as an RP (relaying party) and is responsible for acquiring the OIDC token upfront.

Q: Which OAuth2.0 grant types are supported?

A: The connector supports the following OAuth2.0 grant types ('Client Credentials', 'Resource Owner Password', 'Implicit', 'Authorization Code'). The connector validates an OIDC token using the UserInfo endpoint provided by a third-party IDP. Current support is compliant with https://oauth.net/2.1/.

Q: Does the connector support refreshing expired OIDC tokens?

A: The connector does not refresh expired tokens. The client application that uses it is responsible for refreshing the expired token from the third-party IDP.

Q: How many UserInfo endpoints does the connector support for ID token validation?

A: Cloud API Management recommends configuring no more than ten UserInfo endpoints per service endpoint for geo-distributed OAuth2.0 authorization server.

Q: What are the guidelines for setting the UserInfo endpoint for ID token validation?

A: Considering that different third-party OAuth2.0 Authorization servers respond differently, the connector handles token validation following the business rules provided below. The UserInfo endpoint should be configured using the guidelines below.

Useinfo endpoint response with status code 200 OK is considered successful ID token validation.

Any 200 OK status code from the UserInfo validation endpoint is considered an ID token validation failure.

Q: Does the connector support JSONPath expression to parse JSON response after successful token validation?

A: Yes. The connector supports JSONPath to parse JSON responses after successful token validation from the UserInfo endpoint. Refer to JSONPath and XPath for more information.