The OpenID Connect feature is available only in Countly Enterprise.
OpenID Connect (also noted as OIDC) is a simple identification process that allows clients to verify the identity of the end-user based on the authentication performed by our server, as well as to obtain basic profile information about the End-User.
In Countly, OIDC facilitates authentication by confirming the user's identity through a trusted server. This helps protect access to the system for only legitimate users.
Benefits of OpenID Connect
OpenID Connect allows clients using web, desktop, and mobile devices to request and receive information about authenticated sessions and end-users. The specification suite is extensible thus, allowing participants to use optional features such as encryption of identity data. It is also API-friendly, and usable by any mobile or web application.
OpenID Connect has optional mechanisms for robust signing-in and encryption. All of these features are integrated into the protocol itself.
Getting Started
To use the OpenID Connect feature, you have to configure it following the steps below:
- In your OIDC package, rename plugins/oidc/config.sample.js toplugins/oidc/config.js.
- Modify the configuration providing the Open ID issuer’s host for well-known endpoints, callback, and client ID.
- Modify the configuration to set default to Countly permission for new users.
- Enable the OIDC feature and restart the Countly process.
To enable OIDC, use the command below:
countly plugins enable oidc
countly restart
For reference, this is an example snippet of the configuration option:
const config = {
// Issuer host with published .well-known endpoints
auth_url: "https://accounts.google.com",
// Issuer callback endpoint
auth_callback: "https://oauth2.googleapis.com/token",
// Issuer provided client ID
client_id: "somevalue.apps.googleusercontent.com",
// should user become global admin on account creation
global_admin: true,
// list of apps the user should have admin access to on account creation
admin_of: [],
// list of apps the user should have read access to on account creation
user_of: []
};