OpenID Connect Authentication Overview

GENESIS implements OpenID Connect (OIDC), which is built on top of OAuth 2.0. It is used for a secure connection with identity provider clients.

An identity provider client, also known as an OIDC relying party, is an application that requires end-user authentication or requests access to something using the user's credentials. In case of GENESIS, the client typically needs permission to access data points. You can configure a custom relying party in the Security section in Workbench (see the links in What's Next).

In the OIDC Relying Parties folder, there is a pre-configured entry for CFS/mobile redirect. It exists for historical compatibility with offline access support in the mobile apps and should not be removed.

We support the following OAuth 2.0 flows (authentication methods) for OIDC relying parties.

Flow

Description

Use case

Authorization Code Flow

Interactive user login via a web browser.

Logging into Workbench, GraphWorks, WebHMI, or Web API (interactive).

Authorization Code Flow with Proof Key for Code Exchange (PKCE)

Interactive user sign-in is only required once; after that, GENESIS manages token refresh automatically.

Logging into Workbench, GraphWorks, WebHMI, or Web API (interactive).

Client Credentials Flow

Server-to-server authentication using a client ID and client secret; no user sign-in required.
Available in GENESIS versions 11.5 and later.

Automated processes, background services, or machine-to-machine communication with the Web API.

Other OAuth 2.0 flows, such as Implicit, Device Authorization, or Resource Owner Password, are not supported.

GENESIS Security can act as an OIDC identity provider for in-house applications and third-party clients. This implementation uses the Authorization Code Flow with the following settings:

  • Always requires PKCE.

  • Does not allow a client secret.

If your client application cannot support PKCE, or if you require a client secret, create a custom OIDC relying party and configure it accordingly.