From bfb4dd66cebf843d1cdb1031f63349a238d94e18 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 16:47:24 +0000
Subject: [PATCH 01/12] Initial plan
From 15312efb9adb5e3de9bbb052386be3b4cab4ee89 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 16:49:50 +0000
Subject: [PATCH 02/12] docs: Add OPENID_CONNECT authentication module
documentation
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/7c17dea5-7110-4870-9fbc-549aede96b6c
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
---
.../appendix-auth-modules.adoc | 82 +++++++++++++++++++
.../asciidoc/integrators-guide/chap-auth.adoc | 50 +++++++++++
2 files changed, 132 insertions(+)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
index f32c400c2..91bb04d8a 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -291,4 +291,86 @@ a|authentication.json
|===
In general, if you add a custom property, the Admin UI writes changes to the `authentication.json` or `ui-configuration.json` files.
+[#openid-connect-module-details]
+=== OPENID_CONNECT Module Configuration Options
+
+The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads a JWT access token from an HTTP header, validates it against the configured OIDC provider, and maps the identity to an OpenIDM managed object.
+
+[#table-openid-connect-module]
+.OPENID_CONNECT Module Properties
+[cols="28%,29%,43%"]
+|===
+|Authentication Property |Property as Listed in the Admin UI |Description
+
+a|`enabled`
+a|Module Enabled
+a|Whether OpenIDM uses this module.
+
+a|`openIdConnectHeader`
+a|OpenID Connect Header
+a|Name of the HTTP header that carries the OIDC access token passed from the client (for example, `authToken`).
+
+a|`queryOnResource`
+a|Query on Resource
+a|Managed object endpoint to query after token validation (for example, `managed/google`).
+
+a|`propertyMapping.authenticationId`
+a|Authentication ID
+a|Attribute in the managed object used as the user identifier.
+
+a|`propertyMapping.userRoles`
+a|User Roles
+a|Attribute in the managed object used for authorization roles (for example, `authzRoles`).
+
+a|`defaultUserRoles`
+a|Default User Roles
+a|Roles assigned to all users who authenticate successfully through this module (for example, `openidm-authorized`).
+
+a|`augmentSecurityContext`
+a|Augment Security Context
+a|Optional script executed after a successful authentication request, used to populate additional security context fields.
+|===
+
+[#table-openid-connect-resolvers]
+.OPENID_CONNECT Resolver Properties (within `resolvers[]`)
+[cols="28%,72%"]
+|===
+|Property |Description
+
+a|`name`
+a|Unique name identifying this resolver (for example, `google`).
+
+a|`type`
+a|Resolver type. Must be `OPENID_CONNECT`.
+
+a|`client_id`
+a|OAuth 2.0 client ID registered with the OIDC provider.
+
+a|`client_secret`
+a|OAuth 2.0 client secret registered with the OIDC provider.
+
+a|`well-known`
+a|OIDC Discovery URL (for example, `https://accounts.google.com/.well-known/openid-configuration`). When provided, the module auto-populates `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint` from the provider's discovery document.
+
+a|`authorization_endpoint`
+a|Provider's authorization endpoint URL. Can be omitted when `well-known` is set.
+
+a|`token_endpoint`
+a|Provider's token endpoint URL. Can be omitted when `well-known` is set.
+
+a|`userinfo_endpoint`
+a|Provider's userinfo endpoint URL. Can be omitted when `well-known` is set.
+
+a|`scope`
+a|List of OAuth 2.0 scopes to request. Must include `openid` (for example, `["openid", "email", "profile"]`).
+
+a|`authenticationId`
+a|OIDC claim or managed object attribute used as the user identifier (for example, `sub` or `_id`).
+
+a|`icon`
+a|HTML markup for the social login button displayed in the UI.
+
+a|`enabled`
+a|Whether this resolver is active.
+|===
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
index 80ce42f3b..cfeec6cc8 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
@@ -480,6 +480,56 @@ Set up logins with OpenAM, to work with the related login session cookie, known
IWA::
The IWA module enables users to authenticate by using Integrated Windows Authentication (IWA), rather than by providing a username and password. For information about configuring the IWA module with OpenIDM, see xref:#openidm-auth-kerberos["Configuring IWA Authentication"].
+[#openid-connect-module]
+OPENID_CONNECT::
+The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads a JWT access token from an HTTP header (configured via `openIdConnectHeader`), validates it against the configured OIDC provider endpoints, and maps the authenticated identity to an OpenIDM managed object.
++
+The module supports multiple OIDC providers through the `resolvers` array — each entry configures one provider with its own `client_id`, `client_secret`, and endpoint URLs. When a `well-known` discovery URL is provided, the module auto-populates the `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint` from the provider's OIDC discovery document.
++
+The following excerpt shows a sample `OPENID_CONNECT` configuration using Google as the identity provider:
++
+
+[source, json]
+----
+{
+ "name" : "OPENID_CONNECT",
+ "enabled" : true,
+ "properties" : {
+ "augmentSecurityContext": {
+ "type" : "text/javascript",
+ "file" : "auth/populateAsManagedUserFromRelationship.js"
+ },
+ "propertyMapping" : {
+ "userRoles" : "authzRoles",
+ "authenticationId" : "_id"
+ },
+ "defaultUserRoles" : [
+ "openidm-authorized"
+ ],
+ "resolvers" : [
+ {
+ "name" : "google",
+ "type" : "OPENID_CONNECT",
+ "icon" : "",
+ "scope" : ["openid", "email", "profile"],
+ "authenticationId" : "_id",
+ "enabled" : true,
+ "client_id" : "your-client-id.apps.googleusercontent.com",
+ "client_secret" : "your-client-secret",
+ "well-known" : "https://accounts.google.com/.well-known/openid-configuration",
+ "authorization_endpoint" : "https://accounts.google.com/o/oauth2/v2/auth",
+ "token_endpoint" : "https://oauth2.googleapis.com/token",
+ "userinfo_endpoint" : "https://openidconnect.googleapis.com/v1/userinfo"
+ }
+ ],
+ "queryOnResource" : "managed/google",
+ "openIdConnectHeader" : "authToken"
+ }
+}
+----
+
+For detailed options, see xref:appendix-auth-modules.adoc#openid-connect-module-details["OPENID_CONNECT Module Configuration Options"].
+
--
From 6f3a1f544799a68bd489c9214432a5a13d705c55 Mon Sep 17 00:00:00 2001
From: Valery Kharseko
Date: Thu, 26 Mar 2026 20:01:56 +0300
Subject: [PATCH 03/12] Update
openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The token carried in openIdConnectHeader is described here as a “JWT access token”, but the OIDC flow in the code returns/uses an id_token JWT for OPENID_CONNECT
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
index cfeec6cc8..0c36aeeca 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
@@ -482,7 +482,7 @@ The IWA module enables users to authenticate by using Integrated Windows Authent
[#openid-connect-module]
OPENID_CONNECT::
-The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads a JWT access token from an HTTP header (configured via `openIdConnectHeader`), validates it against the configured OIDC provider endpoints, and maps the authenticated identity to an OpenIDM managed object.
+The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads an OpenID Connect ID token (JWT) from an HTTP header (configured via `openIdConnectHeader`), validates it against the configured OIDC provider endpoints, and maps the authenticated identity to an OpenIDM managed object.
+
The module supports multiple OIDC providers through the `resolvers` array — each entry configures one provider with its own `client_id`, `client_secret`, and endpoint URLs. When a `well-known` discovery URL is provided, the module auto-populates the `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint` from the provider's OIDC discovery document.
+
From 50e3937c0b4063d6cc93e5e6f83d9c3a4ca78e06 Mon Sep 17 00:00:00 2001
From: Valery Kharseko
Date: Thu, 26 Mar 2026 20:02:40 +0300
Subject: [PATCH 04/12] Update
openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This states the module supports “multiple OIDC providers through the resolvers array”, but the current implementation only uses the first resolver entry (the UI reads/writes resolvers[0], and AuthenticationService#setType notes “currently we only support one resolver per auth module” and sets resolvers.get(0)). Please clarify that only a single resolver is supported/used per OPENID_CONNECT module instance.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
index 0c36aeeca..bdbcd7381 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
@@ -484,7 +484,7 @@ The IWA module enables users to authenticate by using Integrated Windows Authent
OPENID_CONNECT::
The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads an OpenID Connect ID token (JWT) from an HTTP header (configured via `openIdConnectHeader`), validates it against the configured OIDC provider endpoints, and maps the authenticated identity to an OpenIDM managed object.
+
-The module supports multiple OIDC providers through the `resolvers` array — each entry configures one provider with its own `client_id`, `client_secret`, and endpoint URLs. When a `well-known` discovery URL is provided, the module auto-populates the `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint` from the provider's OIDC discovery document.
+The module uses a single OIDC provider configuration from the first entry in the `resolvers` array (`resolvers[0]`). Although `resolvers` is defined as an array, only one resolver is supported and used per `OPENID_CONNECT` module instance; that entry configures the provider with its own `client_id`, `client_secret`, and endpoint URLs. When a `well-known` discovery URL is provided, the module auto-populates the `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint` from the provider's OIDC discovery document.
+
The following excerpt shows a sample `OPENID_CONNECT` configuration using Google as the identity provider:
+
From d796363014daa7eb09f79e1ffe090d9f828a7d0a Mon Sep 17 00:00:00 2001
From: Valery Kharseko
Date: Thu, 26 Mar 2026 20:03:26 +0300
Subject: [PATCH 05/12] Update
openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
.../main/asciidoc/integrators-guide/appendix-auth-modules.adoc | 1 +
1 file changed, 1 insertion(+)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
index 91bb04d8a..7ebe55181 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -333,6 +333,7 @@ a|Optional script executed after a successful authentication request, used to po
[#table-openid-connect-resolvers]
.OPENID_CONNECT Resolver Properties (within `resolvers[]`)
+NOTE: Although the configuration syntax uses an array `resolvers[]`, only the first resolver entry (`resolvers[0]`) is currently used; additional entries are ignored.
[cols="28%,72%"]
|===
|Property |Description
From 92d58f0e987345519718fc3cf8a1f1c3abc395a0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 17:05:15 +0000
Subject: [PATCH 06/12] docs: Fix OPENID_CONNECT appendix - use 'ID token'
instead of 'access token'
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/c62448a5-83e7-47b1-8e25-9d8402d33100
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
---
.../main/asciidoc/integrators-guide/appendix-auth-modules.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
index 7ebe55181..d991172ac 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -294,7 +294,7 @@ In general, if you add a custom property, the Admin UI writes changes to the `au
[#openid-connect-module-details]
=== OPENID_CONNECT Module Configuration Options
-The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads a JWT access token from an HTTP header, validates it against the configured OIDC provider, and maps the identity to an OpenIDM managed object.
+The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads an OpenID Connect ID token (JWT) from an HTTP header, validates it against the configured OIDC provider, and maps the identity to an OpenIDM managed object.
[#table-openid-connect-module]
.OPENID_CONNECT Module Properties
From f3fe265ba05c5715fb278214d7cec88f5c12e375 Mon Sep 17 00:00:00 2001
From: Valery Kharseko
Date: Thu, 26 Mar 2026 20:22:43 +0300
Subject: [PATCH 07/12] Update
openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
.../main/asciidoc/integrators-guide/appendix-auth-modules.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
index d991172ac..0c7bfdcdf 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -308,7 +308,7 @@ a|Whether OpenIDM uses this module.
a|`openIdConnectHeader`
a|OpenID Connect Header
-a|Name of the HTTP header that carries the OIDC access token passed from the client (for example, `authToken`).
+a|Name of the HTTP header that carries the OpenID Connect ID token (JWT) provided by the client (for example, `authToken`).
a|`queryOnResource`
a|Query on Resource
From 29f129261fd56261a5e13a45de649b569794a034 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 17:55:35 +0000
Subject: [PATCH 08/12] docs: Fix resolver authenticationId description in
appendix
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/82e11a08-5376-43aa-8dd8-72a7758ba94b
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
---
.../main/asciidoc/integrators-guide/appendix-auth-modules.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
index 0c7bfdcdf..4b37b4518 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -366,7 +366,7 @@ a|`scope`
a|List of OAuth 2.0 scopes to request. Must include `openid` (for example, `["openid", "email", "profile"]`).
a|`authenticationId`
-a|OIDC claim or managed object attribute used as the user identifier (for example, `sub` or `_id`).
+a|Claim name in the identity provider profile or ID token used as the user identifier (for example, `sub`).
a|`icon`
a|HTML markup for the social login button displayed in the UI.
From 9790f1041169ace7cd4e0f81fcc9967ac92cbc29 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 19:11:36 +0000
Subject: [PATCH 09/12] docs: Fix authenticationId example value and
module-level description
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/d24f0dff-be5c-4574-9c76-e0d974d59707
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
---
.../main/asciidoc/integrators-guide/appendix-auth-modules.adoc | 2 +-
openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
index 4b37b4518..4abf731e0 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -316,7 +316,7 @@ a|Managed object endpoint to query after token validation (for example, `managed
a|`propertyMapping.authenticationId`
a|Authentication ID
-a|Attribute in the managed object used as the user identifier.
+a|Attribute in the managed object used as the user identifier, to be matched against the resolver's `authenticationId` claim.
a|`propertyMapping.userRoles`
a|User Roles
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
index bdbcd7381..debadd7ee 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
@@ -512,7 +512,7 @@ The following excerpt shows a sample `OPENID_CONNECT` configuration using Google
"type" : "OPENID_CONNECT",
"icon" : "",
"scope" : ["openid", "email", "profile"],
- "authenticationId" : "_id",
+ "authenticationId" : "sub",
"enabled" : true,
"client_id" : "your-client-id.apps.googleusercontent.com",
"client_secret" : "your-client-secret",
From df894da6d0f569757a48088b8b3b613dea5d1fbd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 27 Mar 2026 09:06:14 +0000
Subject: [PATCH 10/12] docs: Restructure OPENID_CONNECT tables to 4-column
OPENAM_SESSION format
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/b4f7cba3-cb99-48d1-8218-bc3d7745ae66
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
---
.../appendix-auth-modules.adoc | 87 +++++++++++++------
1 file changed, 59 insertions(+), 28 deletions(-)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
index 4abf731e0..9e58a13d5 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -298,80 +298,111 @@ The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provid
[#table-openid-connect-module]
.OPENID_CONNECT Module Properties
-[cols="28%,29%,43%"]
+[cols="18%,27%,27%,28%"]
|===
-|Authentication Property |Property as Listed in the Admin UI |Description
+|Admin UI Label |Default |Description |Configuration File
-a|`enabled`
a|Module Enabled
+a|false
a|Whether OpenIDM uses this module.
+a|authentication.json
-a|`openIdConnectHeader`
a|OpenID Connect Header
-a|Name of the HTTP header that carries the OpenID Connect ID token (JWT) provided by the client (for example, `authToken`).
+a|authToken
+a|Name of the HTTP header that carries the OpenID Connect ID token (JWT) provided by the client.
+a|authentication.json
-a|`queryOnResource`
a|Query on Resource
-a|Managed object endpoint to query after token validation (for example, `managed/google`).
+a|managed/google
+a|Managed object endpoint to query after token validation.
+a|authentication.json
-a|`propertyMapping.authenticationId`
a|Authentication ID
+a|(blank)
a|Attribute in the managed object used as the user identifier, to be matched against the resolver's `authenticationId` claim.
+a|authentication.json
-a|`propertyMapping.userRoles`
a|User Roles
+a|(blank)
a|Attribute in the managed object used for authorization roles (for example, `authzRoles`).
+a|authentication.json
-a|`defaultUserRoles`
a|Default User Roles
-a|Roles assigned to all users who authenticate successfully through this module (for example, `openidm-authorized`).
+a|openidm-authorized
+a|Roles assigned to all users who authenticate successfully through this module.
+a|authentication.json
-a|`augmentSecurityContext`
a|Augment Security Context
+a|(blank)
a|Optional script executed after a successful authentication request, used to populate additional security context fields.
+a|authentication.json
|===
[#table-openid-connect-resolvers]
.OPENID_CONNECT Resolver Properties (within `resolvers[]`)
NOTE: Although the configuration syntax uses an array `resolvers[]`, only the first resolver entry (`resolvers[0]`) is currently used; additional entries are ignored.
-[cols="28%,72%"]
+[cols="18%,27%,27%,28%"]
|===
-|Property |Description
+|Admin UI Label |Default |Description |Configuration File
-a|`name`
+a|Name
+a|(blank)
a|Unique name identifying this resolver (for example, `google`).
+a|authentication.json
-a|`type`
+a|Type
+a|OPENID_CONNECT
a|Resolver type. Must be `OPENID_CONNECT`.
+a|authentication.json
-a|`client_id`
+a|Client ID
+a|(blank)
a|OAuth 2.0 client ID registered with the OIDC provider.
+a|authentication.json
-a|`client_secret`
+a|Client Secret
+a|(blank)
a|OAuth 2.0 client secret registered with the OIDC provider.
+a|authentication.json
-a|`well-known`
-a|OIDC Discovery URL (for example, `https://accounts.google.com/.well-known/openid-configuration`). When provided, the module auto-populates `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint` from the provider's discovery document.
+a|Well-Known URL
+a|(blank)
+a|OIDC Discovery URL (for example, `https://accounts.google.com/.well-known/openid-configuration`). When provided, the module auto-populates `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint`.
+a|authentication.json
-a|`authorization_endpoint`
+a|Authorization Endpoint
+a|(blank)
a|Provider's authorization endpoint URL. Can be omitted when `well-known` is set.
+a|authentication.json
-a|`token_endpoint`
+a|Token Endpoint
+a|(blank)
a|Provider's token endpoint URL. Can be omitted when `well-known` is set.
+a|authentication.json
-a|`userinfo_endpoint`
+a|Userinfo Endpoint
+a|(blank)
a|Provider's userinfo endpoint URL. Can be omitted when `well-known` is set.
+a|authentication.json
-a|`scope`
+a|Scope
+a|openid
a|List of OAuth 2.0 scopes to request. Must include `openid` (for example, `["openid", "email", "profile"]`).
+a|authentication.json
-a|`authenticationId`
-a|Claim name in the identity provider profile or ID token used as the user identifier (for example, `sub`).
+a|Authentication ID
+a|sub
+a|Claim name in the identity provider profile or ID token used as the user identifier.
+a|authentication.json
-a|`icon`
+a|Icon
+a|(blank)
a|HTML markup for the social login button displayed in the UI.
+a|authentication.json
-a|`enabled`
+a|Enabled
+a|true
a|Whether this resolver is active.
+a|authentication.json
|===
From 473462f9aec42095df9c3bb91f8feb80c5486489 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 27 Mar 2026 09:14:34 +0000
Subject: [PATCH 11/12] docs: Restructure OPENID_CONNECT tables into
Basic/Advanced split matching OPENAM_SESSION 4-column format
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/4102158c-4e18-43ea-909e-07dbb52a4d7b
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
---
.../appendix-auth-modules.adoc | 121 +++++++++---------
1 file changed, 57 insertions(+), 64 deletions(-)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
index 9e58a13d5..f7f27a9b2 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -294,10 +294,14 @@ In general, if you add a custom property, the Admin UI writes changes to the `au
[#openid-connect-module-details]
=== OPENID_CONNECT Module Configuration Options
-The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads an OpenID Connect ID token (JWT) from an HTTP header, validates it against the configured OIDC provider, and maps the identity to an OpenIDM managed object.
+The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It exchanges an access token for user information from the provider's userinfo endpoint, then maps the identity to an OpenIDM managed object.
-[#table-openid-connect-module]
-.OPENID_CONNECT Module Properties
+The options shown in the Admin UI are subdivided into basic and advanced properties. You may need to click Advanced Properties to review those details.
+
+The following table describes the label that you see in the Admin UI, the default value (if any), a brief description, and the associated configuration file. If you need the property name, look at the configuration file.
+
+[#table-openid-connect-basic]
+.OPENID_CONNECT Module Basic Properties
[cols="18%,27%,27%,28%"]
|===
|Admin UI Label |Default |Description |Configuration File
@@ -307,102 +311,91 @@ a|false
a|Whether OpenIDM uses this module.
a|authentication.json
-a|OpenID Connect Header
-a|authToken
-a|Name of the HTTP header that carries the OpenID Connect ID token (JWT) provided by the client.
-a|authentication.json
-
-a|Query on Resource
-a|managed/google
-a|Managed object endpoint to query after token validation.
+a|Well-Known Endpoint
+a|(blank)
+a|OIDC Discovery URL (for example, `https://openam.example.com/openam/oauth2/.well-known/openid-configuration`). When provided, the module auto-populates `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint` from the provider's discovery document.
a|authentication.json
-a|Authentication ID
+a|Client ID
a|(blank)
-a|Attribute in the managed object used as the user identifier, to be matched against the resolver's `authenticationId` claim.
+a|OAuth 2.0 client ID registered with the OIDC provider.
a|authentication.json
-a|User Roles
+a|Client Secret
a|(blank)
-a|Attribute in the managed object used for authorization roles (for example, `authzRoles`).
+a|OAuth 2.0 client secret registered with the OIDC provider.
a|authentication.json
-a|Default User Roles
-a|openidm-authorized
-a|Roles assigned to all users who authenticate successfully through this module.
+a|Scope
+a|openid
+a|OAuth 2.0 scopes to request. Must include `openid` (for example, `openid email profile`).
a|authentication.json
-a|Augment Security Context
+a|Authorization Endpoint
a|(blank)
-a|Optional script executed after a successful authentication request, used to populate additional security context fields.
+a|Provider's authorization endpoint URL. Can be omitted when Well-Known Endpoint is set.
a|authentication.json
-|===
-[#table-openid-connect-resolvers]
-.OPENID_CONNECT Resolver Properties (within `resolvers[]`)
-NOTE: Although the configuration syntax uses an array `resolvers[]`, only the first resolver entry (`resolvers[0]`) is currently used; additional entries are ignored.
-[cols="18%,27%,27%,28%"]
-|===
-|Admin UI Label |Default |Description |Configuration File
-
-a|Name
+a|Token Endpoint
a|(blank)
-a|Unique name identifying this resolver (for example, `google`).
-a|authentication.json
-
-a|Type
-a|OPENID_CONNECT
-a|Resolver type. Must be `OPENID_CONNECT`.
+a|Provider's token endpoint URL. Can be omitted when Well-Known Endpoint is set.
a|authentication.json
-a|Client ID
+a|End Session Endpoint
a|(blank)
-a|OAuth 2.0 client ID registered with the OIDC provider.
+a|Provider's end-session (logout) endpoint URL. Can be omitted when Well-Known Endpoint is set.
a|authentication.json
-a|Client Secret
-a|(blank)
-a|OAuth 2.0 client secret registered with the OIDC provider.
+a|Sign-In Button HTML
+a|(default button HTML)
+a|HTML markup for the social login button displayed in the OpenIDM UI.
a|authentication.json
-a|Well-Known URL
-a|(blank)
-a|OIDC Discovery URL (for example, `https://accounts.google.com/.well-known/openid-configuration`). When provided, the module auto-populates `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint`.
+a|Query on Resource
+a|managed/user
+a|Managed object endpoint to query after token validation (for example, `managed/user`).
a|authentication.json
-a|Authorization Endpoint
-a|(blank)
-a|Provider's authorization endpoint URL. Can be omitted when `well-known` is set.
+a|Default User Roles
+a|openidm-authorized
+a|Roles assigned to all users who authenticate successfully through this module.
a|authentication.json
-a|Token Endpoint
-a|(blank)
-a|Provider's token endpoint URL. Can be omitted when `well-known` is set.
+a|Authentication ID
+a|userName
+a|Attribute in the managed object used as the user identifier, matched against the claim returned from the provider's userinfo endpoint.
a|authentication.json
-a|Userinfo Endpoint
-a|(blank)
-a|Provider's userinfo endpoint URL. Can be omitted when `well-known` is set.
+a|Method for Determining Roles
+a|User Roles Property
+a|How OpenIDM determines the user's roles after authentication (for example, `User Roles Property`).
a|authentication.json
-a|Scope
-a|openid
-a|List of OAuth 2.0 scopes to request. Must include `openid` (for example, `["openid", "email", "profile"]`).
+a|User Roles Property
+a|authzRoles
+a|Attribute in the managed object that holds the user's authorization roles.
a|authentication.json
+|===
-a|Authentication ID
-a|sub
-a|Claim name in the identity provider profile or ID token used as the user identifier.
-a|authentication.json
+[#table-openid-connect-advanced]
+.OPENID_CONNECT Module Advanced Properties
+[cols="18%,27%,27%,28%"]
+|===
+|Admin UI Label |Default |Description |Configuration File
-a|Icon
+a|Use Query ID
a|(blank)
-a|HTML markup for the social login button displayed in the UI.
+a|A defined query ID searches against the `queryOnResource` endpoint. Leave blank to use `action=reauthenticate` against `queryOnResource`.
a|authentication.json
-a|Enabled
-a|true
-a|Whether this resolver is active.
+a|OpenID Connect Header
+a|authToken
+a|Name of the HTTP header that carries the OpenID Connect ID token (JWT) provided by the client.
+a|authentication.json
+
+a|Augment Security Context
+a|(blank)
+a|Optional script executed after a successful authentication request, used to populate additional security context fields. Supports Javascript or Groovy.
a|authentication.json
|===
From 3bb4519b17ba8ae39119fe4695cb31444f74e3a3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 27 Mar 2026 12:18:49 +0000
Subject: [PATCH 12/12] docs: update copyright year to 2026 in
appendix-auth-modules.adoc
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenIDM/sessions/8ae6a531-3685-4c29-aa93-1339c306f02b
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
---
.../main/asciidoc/integrators-guide/appendix-auth-modules.adoc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
index f7f27a9b2..8f3a15a5b 100644
--- a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
+++ b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -12,7 +12,7 @@
information: "Portions copyright [year] [name of copyright owner]".
Copyright 2017 ForgeRock AS.
- Portions Copyright 2024-2025 3A Systems LLC.
+ Portions Copyright 2024-2026 3A Systems LLC.
////
:figure-caption!: