Skip to main content
Skip table of contents

OAuth Providers

OpenID Connect (OIDC) is an extension of the OAuth 2.0 protocol used for authentication through an Identity Provider (IdP). EJBCA supports OIDC authentication using the OAuth 2.0 authorization code flow.

OIDC authenticationcan be used alongside or instead of client certificate authentication (see Authentication Methods) and provides a powerful tool for managing all users of a PKI from a single source (the IdP).

OIDC authentication is configured using a Trusted OAuth Provider (“provider”) in EJBCA.

The following page provides an overview of OAuth providers in EJBCA. For instructions on setting up OAuth providers, see OAuth Provider Management.

Supported Providers

EJBCA has been tested against KeycloakMicrosoft EntraID, Okta and PingID. For detailed instructions on how to integrate against one of these IdPs, see OAuth Provider Management.

Other OIDC-compatible IdPs may work with EJBCA, but these have not yet been tested and evaluated by Keyfactor.

Provider Configuration Overview

Providers can be configured under the Trusted OAuth Providers tab in System Configuration.

Value

Description

Default Trusted OAuth Provider

If the received JWT does not have a Key ID, the Default Trusted OAuth Provider may be used to verify the signature.

Generic Values

When adding a provider, the following values exist as general options:

Value

Description

OAuth Provider Name

The human-readable name of the provider, chosen by the administrator. This shows up when the user wants to log in.

URL

The base URL of the IdP.

Fetch UserInfo

If checked, EJBCA makes a request to the /userinfoendpoint to fetch additional information when the user is logging in.

Skew Limit

The allowed clock difference, in milliseconds, between the EJBCA and the IdP.

Scope

The scope used when requesting claims.

Client Name

The client name EJBCA uses for access to the IdP.

Client Secret

The client secret EJBCA uses for access to the IdP.

At the bottom of the page is a form for providing OAuth public key(s):

The key(s) may be provided using three methods:

  • File Upload

  • Upload as text

  • Providing a Key Configuration URL

Implementation Specific Values

Besides the generic values, each Trusted OAuth Provider implementation may support additional vendor specific configuration values.

Role Member Configuration Overview

Claims in JWTs may be mapped to roles in EJBCA. A claim can represent a group of users or an individual user. EJBCA allows any combination of claims and even different authentication methods in a single role.

The following claims are supported. Exact usage depends on the provider, see OAuth Provider Management for details.

Claim

Description

sub

Permanent unique identifier of the subject.

iss

Issuer of the token.

aud

Audience.

oid

Microsoft EntraID-specific claim that represents a user.

roles

kf.roles

Our vendor-specific claim for role assignment.

name

The user’s name.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.