OpenIdentityPlatform · vharseko · Mar 30, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/appendix-auth-modules.adoc
@@ -291,4 +291,87 @@ a|authentication.json
 |===
 In general, if you add a custom property, the Admin UI writes changes to the `authentication.json` or `ui-configuration.json` files.
 
+[#openid-connect-module-details]
+=== OPENID_CONNECT Module Configuration Options
+
+The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads an OpenID Connect ID token (JWT) from an HTTP header, validates it against the configured OIDC provider, and maps the identity to an OpenIDM managed object.
+
+[#table-openid-connect-module]
+.OPENID_CONNECT Module Properties
+[cols="28%,29%,43%"]
+|===
+|Authentication Property |Property as Listed in the Admin UI |Description
+
+a|`enabled`
+a|Module Enabled
+a|Whether OpenIDM uses this module.
+
+a|`openIdConnectHeader`
+a|OpenID Connect Header
+a|Name of the HTTP header that carries the OIDC access token passed from the client (for example, `authToken`).
+
+a|`queryOnResource`
+a|Query on Resource
+a|Managed object endpoint to query after token validation (for example, `managed/google`).
+
+a|`propertyMapping.authenticationId`
+a|Authentication ID
+a|Attribute in the managed object used as the user identifier.
-a|Attribute in the managed object used as the user identifier.
+a|Attribute in the managed object used as the user identifier, to be matched against the resolver's `authenticationId` claim.
-a|Attribute in the managed object used as the user identifier.
+a|Attribute in the managed object used as the user identifier, to be matched against the resolver's `authenticationId` claim.
+
+a|`propertyMapping.userRoles`
+a|User Roles
+a|Attribute in the managed object used for authorization roles (for example, `authzRoles`).
+
+a|`defaultUserRoles`
+a|Default User Roles
+a|Roles assigned to all users who authenticate successfully through this module (for example, `openidm-authorized`).
+
+a|`augmentSecurityContext`
+a|Augment Security Context
+a|Optional script executed after a successful authentication request, used to populate additional security context fields.
+|===
+
+[#table-openid-connect-resolvers]
+.OPENID_CONNECT Resolver Properties (within `resolvers[]`)
+NOTE: Although the configuration syntax uses an array `resolvers[]`, only the first resolver entry (`resolvers[0]`) is currently used; additional entries are ignored.
+[cols="28%,72%"]
+|===
+|Property |Description
+
+a|`name`
+a|Unique name identifying this resolver (for example, `google`).
+
+a|`type`
+a|Resolver type. Must be `OPENID_CONNECT`.
+
+a|`client_id`
+a|OAuth 2.0 client ID registered with the OIDC provider.
+
+a|`client_secret`
+a|OAuth 2.0 client secret registered with the OIDC provider.
+
+a|`well-known`
+a|OIDC Discovery URL (for example, `https://accounts.google.com/.well-known/openid-configuration`). When provided, the module auto-populates `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint` from the provider's discovery document.
+
+a|`authorization_endpoint`
+a|Provider's authorization endpoint URL. Can be omitted when `well-known` is set.
+
+a|`token_endpoint`
+a|Provider's token endpoint URL. Can be omitted when `well-known` is set.
+
+a|`userinfo_endpoint`
+a|Provider's userinfo endpoint URL. Can be omitted when `well-known` is set.
+
+a|`scope`
+a|List of OAuth 2.0 scopes to request. Must include `openid` (for example, `["openid", "email", "profile"]`).
+
+a|`authenticationId`
+a|OIDC claim or managed object attribute used as the user identifier (for example, `sub` or `_id`).
-a|OIDC claim or managed object attribute used as the user identifier (for example, `sub` or `_id`).
+a|Claim name in the identity provider profile or ID token used as the user identifier (for example, `sub`).
-a|OIDC claim or managed object attribute used as the user identifier (for example, `sub` or `_id`).
+a|Claim name in the identity provider profile or ID token used as the user identifier (for example, `sub`).
+
+a|`icon`
+a|HTML markup for the social login button displayed in the UI.
+
+a|`enabled`
+a|Whether this resolver is active.
+|===
 
diff --git a/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc b/openidm-doc/src/main/asciidoc/integrators-guide/chap-auth.adoc
@@ -480,6 +480,56 @@ Set up logins with OpenAM, to work with the related login session cookie, known
 IWA::
 The IWA module enables users to authenticate by using Integrated Windows Authentication (IWA), rather than by providing a username and password. For information about configuring the IWA module with OpenIDM, see xref:#openidm-auth-kerberos["Configuring IWA Authentication"].
 
+[#openid-connect-module]
+OPENID_CONNECT::
+The `OPENID_CONNECT` module authenticates users via an OpenID Connect 1.0 provider. It reads an OpenID Connect ID token (JWT) from an HTTP header (configured via `openIdConnectHeader`), validates it against the configured OIDC provider endpoints, and maps the authenticated identity to an OpenIDM managed object.
++
+The module uses a single OIDC provider configuration from the first entry in the `resolvers` array (`resolvers[0]`). Although `resolvers` is defined as an array, only one resolver is supported and used per `OPENID_CONNECT` module instance; that entry configures the provider with its own `client_id`, `client_secret`, and endpoint URLs. When a `well-known` discovery URL is provided, the module auto-populates the `authorization_endpoint`, `token_endpoint`, and `userinfo_endpoint` from the provider's OIDC discovery document.
++
+The following excerpt shows a sample `OPENID_CONNECT` configuration using Google as the identity provider:
++
+
+[source, json]
+----
+{
+    "name" : "OPENID_CONNECT",
+    "enabled" : true,
+    "properties" : {
+        "augmentSecurityContext": {
+            "type" : "text/javascript",
+            "file" : "auth/populateAsManagedUserFromRelationship.js"
+        },
+        "propertyMapping" : {
+            "userRoles" : "authzRoles",
+            "authenticationId" : "_id"
+        },
+        "defaultUserRoles" : [
+            "openidm-authorized"
+        ],
+        "resolvers" : [
+            {
+                "name" : "google",
+                "type" : "OPENID_CONNECT",
+                "icon" : "<button class=\"btn btn-lg btn-default btn-block btn-social-provider\"><img src=\"images/google.png\">Sign in with Google</button>",
+                "scope" : ["openid", "email", "profile"],
+                "authenticationId" : "_id",
-                "authenticationId" : "_id",
+                "authenticationId" : "sub",
-                "authenticationId" : "_id",
+                "authenticationId" : "sub",
+                "enabled" : true,
+                "client_id" : "your-client-id.apps.googleusercontent.com",
+                "client_secret" : "your-client-secret",
+                "well-known" : "https://accounts.google.com/.well-known/openid-configuration",
+                "authorization_endpoint" : "https://accounts.google.com/o/oauth2/v2/auth",
+                "token_endpoint" : "https://oauth2.googleapis.com/token",
+                "userinfo_endpoint" : "https://openidconnect.googleapis.com/v1/userinfo"
+            }
+        ],
+        "queryOnResource" : "managed/google",
+        "openIdConnectHeader" : "authToken"
+    }
+}
+----
+
+For detailed options, see xref:appendix-auth-modules.adoc#openid-connect-module-details["OPENID_CONNECT Module Configuration Options"].
+
 --