Setting Up OIDC Relying Party with Authorization Code Flow

When configuring a new OIDC relying party, you can select the Authorization Code Flow method of authenticating to GENESIS. It is an interactive method that requires users to log in via a web browser.

If you enable Proof Key for Code Exchange (PKCE), the interactive sign-in is only required once; after that, GENESIS manages token refresh automatically.

To configure a relying party with the authorization code flow authentication:

  1. Open Workbench and in Project Explorer, expand your project > Security.
  2. Right-click OIDC Relying Parties and select Add OIDC Relying Party to open the configuration dialog.
  3. At the top of the dialog, enter a name according to the client that you are configuring; for example, TestRESTClient. This name serves as the OIDC/OAuth Client Identifier (https://tools.ietf.org/html/rfc6749#section-2.2)
  4. In General Settings, make sure the Enabled checkbox is selected. Optionally, enter a display name and description.

  5. In the Flow types section, make sure that Authorization Code Flow Enabled is selected, and Client Credentials Flow Enabled is cleared.

    This is the default setting.

  6. In the Login section, do one of the following:

    • Click next to the Client secret text box, enter the client secret in the Shared secret dialog, and click Set.

      To clear or change the client secret, open the Shared secret dialog again and click Clear.
    • Clear the Require client secret checkbox (selected by default).

  7. In Redirect URIs, enter the URL in your application to which the identity provider should send users after they successfully sign in—this endpoint receives the authorization code and continues the login process.

    The value must exactly match the URL that is configured in your client application.

    You can add multiple URIs, each on a separate line.
  8. Configure the rest of the OIDC Relying Party settings as desired, and then click Apply.

Example for using the Postman REST client as your test client:

  • In the Login section, select Require client secret and enter your client REST application's secret in the Client secret text box. Take a note of the value for later use.
  • In Redirect URIs, enter http://localhost.
  • In the Refresh tokens section, select Allow refresh tokens (a.k.a. Offline Access).