OIDC

The authentication flow for OpenID Connect involves the following steps:

1. The auth client (SingleStore) creates a request and redirects to the server’s authentication endpoint.

2. The server also creates a request and redirects (or displays) a login page.

3. When login is complete, the server redirects back to the client providing an authentication code.

4. The client then makes a direct request (not the browser) to the server to exchange the authentication code for tokens (refresh, access, and ID).

5. The client stores the tokens and uses the id token to ask for user information (name, email) from the server.

Access ID tokens may have short expiry times. When they expire, the token endpoint will be used to get new tokens using the refresh token.

The id token is always a signed JWT (JSON Web Token) with an expiration time. The access token may be a JWT. The Refresh token is typically not a JWT but it could be one too. The Refresh token should be persisted server-side so that it can be invalidated. The access and refresh tokens may also be persisted server-side for invalidation purposes, but that is generally not required because they generally expire quickly.

The configuration items available from the SingleStore Helios Portal are:

• Login Initiation URL: This is used for an IdP-initiated login. When using this URL, the SingleStore login screen is bypassed but otherwise, this is a normal authentication flow.

  Login Redirect URLs: This is the URL that the IdP may redirect to when it has verified the login.

• Logout Redirect URLs: This is where to redirect to after logout to return to a SingleStore login screen.

Most of the configuration comes from the IdP. This includes:

• Issuer – this is a URL that is used to identify the connection. The discovery endpoint is usually, Issuer + "/.well-known/openid-configuration”. It should be a working URL that provides an OpenID configuration block.

• Client ID

• Client Secret

• PKCE is usually supported and it should be enabled.

• The set of required scopes for the OIDC client to request. This will always include 'openid' and will usually include 'email', and 'profile'. Other scopes may also be required. The set of supported scopes can be found inside the discovery endpoint. Do not include any scope that is not supported by your IdP.

A global logout setting, if true implies that, when a user logs out of a SingleStore site (portal, etc) it will try to log them out of their IdP as well. In the SingleStore Helios Portal this is specified as Attempt Global Logout.