Skip to Content

3.19.9. <openidconnect>

<< Prev   Next >>

3.19.9.1. Item description

This item describes the settings related to authentication over OpenID Connect protocol. It can be applied in thin client, mobile client, and web client. <openidconnect> item is subordinate to <point> item. No more than one is allowed. <providers> and <allowStandardAuthentication> items are subordinate to <openidconnect> item. No more than one subordinate element is allowed.

This item does not have any attributes.

<openidconnect>
<providers><![CDATA[[
<json-data>
]]]>
</providers>
<allowStandardAuthentication>true</allowStandardAuthentication>
<openidconnect>

3.19.9.2. <providers>

This item contains description of external OpenID providers that support OpenID Connect v1.0 authentication protocol (https://openid.net/connect/). The description is an array of objects, where each object describes one OpenID provider. The array is represented by JSON serialization.

Each provider is described with the object with the following properties:

  • name. Provider ID. Must be unique within the array. If the array contains several providers with the same ID, the last one will be used.
  • title. Provider text presentation. Will be displayed on the provider button in the authentication page unless the image (image) is specified.
  • image. Provider graphical presentation. Will be displayed on the provider button in the authentication page. The image is specified as data:image in Base64 format.
  • discovery. Contains the provider URL to retrieve all its settings (discovery endpoint URL). It is recommended that you use providers supporting discovery endpoint.
  • authenticationClaimName. Determines which JSON structure field (JSON Web Token, JWT) with authentication results must be used as an ID to map the infobase user and the OpenID Connect provider user. If it is not specified, the email field is used instead.
  • authenticationUserPropertyName. Determines the field in the infobase user settings to be used to compare with the user ID sent by the OpenID Connect provider. It is allowed by specifying the following values:
    • name. A username (the name property of the InfoBaseUser object).
    • OSUser. A name of the operating system user (the OSUser property of the InfoBaseUser object).
    • email. An infobase user email address (the Email property of the InfoBaseUser object).
    • matchingKey. In this case, the value of the UserMatchingKeys property is used as a field. The search key uses the value of the name provider details property.
  • endSessionEndpoint. Determines a URL to follow when executing a command to complete the authentication session. This URL is automatically supplemented with the id_token_hint parameter where a token received during user authentication is placed. When you close a web browser tab with the running web client application or complete the client application operation, the authentication session is not completed. After completing the authentication session in web client, you will be directed to a standard page of session completion.
  • provideconfig. Provider settings description as a JSON structure (unless the provider supports the request to retrieve settings). The data must be in OpenID Provider Metadata format (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
  • clientconfig. Client configuration as a JSON structure. This data format matches OAuth 2.0 Authorization Request format (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). The data is supplemented with the authority property that must contain the authentication provider URL. Contents of this property depend on the provider used.

    Depending on the required authentication type, the response_type property value can be:

    • code. Authorization Code Flow is used. In this case, the client_secret property of the clientconfig structure contains information provided to a user by OpenID provider upon registration. This property is deleted from the clientconfig structure when sending to the client application.
    • id_token or id_token token. Implicit Flow is used. In this case, the client_secret property of the clientconfig structure is not used. It is not recommended that you use Implicit Code Flow for security reasons. It is used for compatibility.
    • The other combinations are not supported.

      redirect_uri property in clientconfig structure has URL which is used to enter an authentication data processor in an application which requests such authentication. As a rule, the URL format is https://IBhost/IBname/authform.html, where:

    • IBhost. Name of a host, where an infobase is published.
    • IBname. Name of an infobase which has been published ("name" means information entered in Name field in the infobase publication dialog box or any similar value, if any other publication method is used.
  • dialect. Defines the protocol that will be used to interact with the provider. If ru-esia is specified, the protocol of the Unified System for Identification and Authentication is used to interact with the provider (USIA, https://minsvyaz.ru/ru/activity/directions/13/). If this attribute is not specified or its value differs from ru-esia, OpenID Connect v1.0 protocol will be used to interact with the provider.
  • crypto. Contains a structure that describes the cryptography module that is used to sign requests. Signing requests is necessary if the USIA protocol is used to interact with the provider (dialect property is equal to the ru-esia value). The structure contains the following properties:
    • module_name. Cryptography module name.
    • module_path. Cryptography module path.
    • module_type. Cryptography module type.
    • cert_thumbprint. Certificate thumbprint to be used to sign requests. Certificate search will be executed by thumbprint. The certificate must be previously stored in the personal certificate store.

      The fields of the structure located in the crypto property are similar to the parameters of the constructor of the CryptographyManager object.

Provider description example:

<openidconnect>
<providers>
<![CDATA[[
{
"name": "google",
"title": "Google",
"discovery": "https://accounts.google.com/.well-known/openid-configuration",
"authenticationClaimName": "email",
"clientconfig": {
"authority": "https://accounts.google.com/",
"client_id": "<client ID>",
"redirect_uri": "https://<hostname>/openidc/authform.html",
"response_type": "id_token token",
"scope": "openid email",
"filterProtocolClaims": true,
"loadUserInfo": false
}
},
{
"name": "googleII",
"title": "Google 2",
"providerconfig": {
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"token_endpoint": "https://www.googleapis.com/oauth2/v4/token",
"response_types_supported": ["code","token"],
"scopes_supported": ["openid","email","profile"]
},
"clientconfig": {
"authority": "https://accounts.google.com/",
"client_id": "<client ID>",
"redirect_uri": "https://<hostname>/openidc/authform.html",
"response_type": "id_token token",
"scope": "openid email"
}
},
{
"name": "googleIII",
"title": "Google 3",
"providerconfig": {
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"token_endpoint": "https://www.googleapis.com/oauth2/v4/token",
"response_types_supported": ["code","token"],
"scopes_supported": ["openid","email","profile"]
},
"clientconfig": {
"authority": "https://accounts.google.com/",
"client_id": "<client ID>",
"client_secret": "<client secret>",
"redirect_uri": "https://<hostname>/openidc/authform.html",
"response_type": "code",
"scope": "openid email"
}
},
{
"name": "microsoft",
"title": "Microsoft",
"authenticationUserPropertyName" : "OSUser",
"image": "data:image/png;base64,………",
"discovery": "https://login.microsoftonline.com/<client ID>/.well-known/openid-configuration",
 "clientconfig": {
"authority": "https://login.microsoftonline.com/<client ID>/",
"client_id": "<client ID>",
"redirect_uri": "https://<hostname>/openidc/authform.html",
"response_type": "id_token token",
"scope": "openid email"
}
},
{
"name": "googleIV",
"title": "GOOGLE.COM",
"discovery": "https://accounts.google.com/.well-known/openid-configuration",
"authenticationClaimName": "email",
"authenticationUserPropertyName": "matchingKey",
"clientconfig": {
"authority": "https://accounts.google.com",
"client_id":"<client ID>",
"client_secret" : "<client secret>",
"redirect_uri": "https://<hostname>/openidc/authform.html",
"response_type": "token id_token",
"scope": "openid email",
"filterProtocolClaims": true,
"loadUserInfo": false
}
},
{
"name": "esia",
"title": "USIA",
"authenticationClaimName": "value",
"authenticationUserPropertyName": "name",
"dialect": "ru-esia",
"crypto": {
"module_path": "",
"module_name": "Crypto-Pro GOST R 34.10-2012 Cryptographic Service Provider",
"module_type": "80",
"cert_thumbprint": "<certificate thumbprint>"
},
"providerconfig": {
"authorization_endpoint": "https://<hostname>/aas/oauth2/ac",
"token_endpoint": "https://<hostname>/aas/oauth2/te",
"userinfo_endpoint": "https://<hostname>/rs/prns/"
},
"clientconfig": {
"authority": "https://<hostname>/aas/oauth2/ac",
"client_id": "<client ID>",
"redirect_uri": "https://<hostname>/openidc/authform.html",
"scope": "openid email",
"response_type": "code",
"access_type": "offline"
}
}
]]]>
</providers>
<allowStandardAuthentication>true</allowStandardAuthentication>
</openidconnect>

The googleIV provider example shows how to specify the field from the UserMatchingKeys collection. In this example:

  • The email field acts as the token field that contains the user ID for mapping. It is specified in the authenticationClaimName": "email" expression.
  • The "authenticationUserPropertyName": "matchingKey" expression indicates that the system must go through all the infobase users, get the UserMatchingKeys structure from each of them, and get the field in this structure with the ID specified in the name provider details field. In our example, it is the googleIV value. The value retrieved by this key from the user will be compared with the email token field value.

3.19.9.3. <allowStandardAuthentication>

The item allows or prohibits 1C:Enterprise authentication. If this item is false, only providers described in the default.vrd file will be available in the authentication form upon thin client or web client authentication.

The item can take the following values:

  • true. 1C:Enterprise authentication is allowed. Default value.
  • false. 1C:Enterprise authentication is forbidden.

3.19.9.4. Usage scenario

Authentication using the OpenID Connect provider is available only if the parameters of one or more providers are specified in the default.vrd file. When trying to use a client application (thin, mobile, or web client) to access the infobase, the following actions are performed:

  • If the provider is explicitly specified in the client application command line, the jump is executed in accordance with the parameters, specified in default.vrd file for this provider.
  • Otherwise, the platform forms a start form (depending on the client application), on which all configured OpenID Connect providers are located (in the default.vrd file). Depending on the settings, this web page may contain the access button using the standard 1C:Enterprise authentication.
  • After selecting the provider, the user is redirected to the provider's authentication page. On this page, the user authenticates with selected provider in any possible method (for this provider).
  • After that, the provider redirects the user to a special page of 1C:Enterprise, passing a JSON structure as a "parameter" (JSON Web Token, JWT) with the authentication results. URL of this page is specified in redirect_uri property in clientconfig structure of provider element.
  • Using the authentication results passed by the provider, 1C:Enterprise platform receives the key parameter for user authentication from the provider. By default, this parameter is the user email address but it can be overridden using the default.vrd file (the authenticationClaimName field).
  • The retrieved key parameter is used to search for the user in a 1C:Enterprise infobase. The Name property is used by default. The search field can be overridden using the default.vrd file (the authenticationUserPropertyName field).
  • After that the authentication is deemed to be successful and the application startup continues.

If authentication on the provider side fails, the provider's actions are not defined.

<< Prev   Next >>

Icon/Social/001 Icon/Social/006 Icon/Social/005 Icon/Social/004 Icon/Social/002