Up-party - OpenID Connect

FoxIDs up-party OpenID Connect which trust an external OpenID Provider (OP) / Identity Provider (IdP).

FoxIDs up-party OpenID Connect

It is possible to configure multiple OpenID Connect up-parties which then can be selected by down-parties.

How to guides:

It is recommended to use OpenID Connect Authorization Code flow with PKCE, because it is considered a secure flow.

Configuration

How to configure external OpenID Provider (OP) as an authority.

The following screen shot show the basic FoxIDs up-party OpenID Connect configuration available in FoxIDs Control Client.

More configuration options become available by clicking Show advanced settings.

Configure OpenID Connect

FoxIDs automatically calls the OpenID Configuration endpoint (.well-known/openid-configuration) on create. You can see the added configuration by opening the up-party again.

FoxIDs automatically read future updates. If the endpoint become unavailable for a period of time FoxIDs will stop the automated update process. It can be restarted by doing an up-party update in FoxIDs Control Client or API.

FoxIDs Control Client only support creating automatic updated up-parties using the OpenID Configuration endpoint. FoxIDs Control API support both automatic and manually updated up-parties. In manual you can specify all values and the OpenID Configuration endpoint (.well-known/openid-configuration) will not be called.

Default the up-party is configured for Authorization Code Flow, to use PKCE and read claim from the external access token. These settings can be changed.

The default client authentication method is client secret post and can be changed to client secret basic or private key JWT. Client authentication method none is supported with PKCE.

The scopes the FoxIDs up-party should send in the request to the external OP can be configured. E.g, profile or email.

The up-party only transfer default claims and configured claim to the down-partis.

Default transferred claims are sub, sid, acr and amr.

Change the claims the up-party pass on with claim transforms.

FoxIDs default use the brackets party pattern .../(up-party)/.... If not supported by the external OP (e.g., like Microsoft Entra ID), the pattern can be changed to the tildes party pattern .../~up-party~/... or dot party pattern .../.up-party./....

If necessary, a custom client ID can be configured, otherwise the up-party name is used as the client ID.

Optionally the issuer can be changed. Otherwise read from the OpenID Configuration endpoint. Furthermore, multiple issuers can be configured to trust tokens form multiple issuers signed with the same key (often used with Microsoft Entra ID).