OpenID Connect (OIDC)

Follow
Availability

The OpenID Connect feature is available only in Countly Enterprise.

OpenID Connect (also noted as OIDC) is a simple identification process that allows clients to verify the identity of the end-user based on the authentication performed by our server, as well as to obtain basic profile information about the End-User.

In Countly, OIDC facilitates authentication by confirming the user's identity through a trusted server. This helps protect access to the system for only legitimate users.

Benefits of OpenID Connect

OpenID Connect allows clients using web, desktop, and mobile devices to request and receive information about authenticated sessions and end-users. The specification suite is extensible thus, allowing participants to use optional features such as encryption of identity data. It is also API-friendly, and usable by any mobile or web application.

OpenID Connect has optional mechanisms for robust signing-in and encryption. All of these features are integrated into the protocol itself.

Getting Started

To use the OpenID Connect feature, you have to configure it following the steps below:

  1. In your OIDC package, rename plugins/oidc/config.sample.js toplugins/oidc/config.js.
  2. Modify the configuration providing the Open ID issuer’s host for well-known endpoints, callback, and client ID.
  3. Modify the configuration to set default to Countly permission for new users.
  4. Enable the OIDC feature and restart the Countly process.

To enable OIDC, use the command below:

countly plugins enable oidc  
countly restart

For reference, this is an example snippet of the configuration option:

const config = {

// Issuer host with published .well-known endpoints

auth_url: "https://accounts.google.com",

// Issuer callback endpoint

auth_callback: "https://oauth2.googleapis.com/token",

// Issuer provided client ID

client_id: "somevalue.apps.googleusercontent.com",

// should user become global admin on account creation

global_admin: true,

// list of apps the user should have admin access to on account creation

admin_of: [],

// list of apps the user should have read access to on account creation

user_of: []

};

Looking for help?