Install Nodinite v7 - OpenID Connect (OIDC) and OAuth 2.0
This authentication method is recommended for cloud-based deployments or when you want to integrate with external identity providers. It supports modern authentication protocols and provides enhanced security features.
Example of the Authentication tab with OAuth 2.0 / OIDC selected.
If you select OAuth 2.0 / OIDC, you must provide the following settings:
OAuth General settings
In the General settings section, you must provide the following information:
| Mandatory | Variable | Default | Description |
|---|---|---|---|
| Authentication Method | OAuth |
Select OAuth to use OpenID configuration |
|
| Discovery URL (.well-known) | https://idp/.../.well-known/openid-configuration |
The URL of the OpenID Connect discovery document provided by your identity provider. This document contains metadata about the identity provider, including endpoints, supported scopes, and other configuration details. For Entra ID, use https://login.microsoftonline.com/%YOURGUID%/v2.0/.well-known/openid-configuration |
|
| Default Services Account Name | <DefaultServiceAccountName> |
Enter Default Services Account Name. You can override these in the 'Advanced' tab | |
| Installation Client ID | Enter the unique client ID used to authenticate your installation with the authorization server. | ||
| Installation Client Scopes | Add one or more scopes to define the permissions granted to the installation client. Press Enter after each scope. At least one scope is required. | ||
| Installation Client Claims | Specify the claims to include in tokens requested with the installation client credentials. At least one claim is required when using OAuth2 mode. |
Example of the OAuth General settings section.
OAuth Web Client settings
In the Web Client settings section, you must provide the following information:
Example of the OAuth Web Client settings section.
| Field Label | Default Value / Example | Description |
|---|---|---|
| Require HTTPS Metadata | Unchecked | When enabled, the application will only accept metadata from the discovery URL if it is served over HTTPS. This ensures that the metadata is transmitted securely and cannot be tampered with during transit. |
| Client ID * | nodinite-%ENVIRONMENTNAME%-webclient |
The client identifier registered with your identity provider for the Web Client application. This ID is used to identify the application during the authentication process. |
| Callback Path | /signin-oidc |
The path where the identity provider will redirect users after they have authenticated. This should match the redirect URI registered with your identity provider. |
| Signed-Out Callback Path | /signout-callback-oidc |
The path where the identity provider will redirect users after they have signed out. This should match the post-logout redirect URI registered with your identity provider. |
| Signed-Out Redirect URI * | https://nodinite.local:41000/ |
The URI where users will be redirected after they have signed out. This should be a valid URI that is registered with your identity provider. |
| Access Denied Path | / | The path where users will be redirected if they are denied access to a resource. This can be a custom error page or a specific route in your application. |
| Scopes | openid, profile, email, and offline_access |
The scopes that the application will request from the identity provider. These scopes determine the level of access and information that the application will receive about the authenticated user. The default scopes are openid, profile, email, and offline_access. You can add additional scopes as needed. |
| Nodinite Claims | Specify at least one Nodinite claim to ensure secure access and proper tenant or environment context when using OAuth2 mode. Claims prevent user lockout and define how the application identifies users and environments. |
OAuth Web API settings
In the Web API settings section, you must provide the following information:
- Audiences - A list of valid audiences that the Nodinite Web API will accept. This should include the client IDs of any applications that will be accessing the Web API. Example:
nodinite-%ENVIRONMENTNAME%-webapi.
Example of the OAuth Web API settings section.
OAuth Log API settings
In the Log API settings section, you must provide the following information:
- Audiences - A list of valid audiences that the Nodinite Log API will accept. This should include the client IDs of any applications that will be accessing the Nodinite Log API. Example:
nodinite-%ENVIRONMENTNAME%-logapi.
Example of the OAuth Log API settings section.
OpenID Connect & OAuth2 Integration – Diagrams and Configuration
Below are diagrams to help administrators of the Identity Provider (IDP) understand how Nodinite interacts with OpenID Connect and OAuth2, and what is required for proper configuration in the Nodinite Portal.
1. Authentication Flow Overview
This diagram shows the basic OpenID Connect authentication flow between the user, Nodinite Web Client, and the Identity Provider. The IDP must be configured to recognize Nodinite as a client and provide the necessary claims and scopes.
2. Required IDP Configuration for Nodinite
Administrators must register Nodinite applications in the IDP, configure redirect URIs, assign required scopes (e.g., openid, profile, email, offline_access), and ensure claims (such as tenant/environment context) are provided. Client secrets or certificates may be required for secure communication.
3. Claims and Scopes Mapping
The IDP must provide the requested scopes and claims to Nodinite. These are mapped in the Nodinite portal fields for each client (Web Client, Web API, Log API).
Next Step
Install Nodinite v7
Updating Nodinite v7