- 10 minutes to read

Install Nodinite v7 - OpenID Connect (OIDC) and OAuth 2.0

This authentication method is recommended for cloud-based deployments or when you want to integrate with external identity providers. It supports modern authentication protocols and provides enhanced security features.

For details on registering Nodinite applications in Azure AD (Entra ID) and configuring permissions, see the Register Nodinite Applications in Azure AD (Entra ID) with OpenID guide.

Authentication Tab with OAuth option
Example of the Authentication tab with OAuth 2.0 / OIDC selected.

If you select OAuth 2.0 / OIDC, you must provide the following settings:

OAuth General settings

In the General settings section, you must provide the following information:

Mandatory Variable Default Description
Authentication Method OAuth Select OAuth to use OpenID configuration
Discovery URL (.well-known) https://idp/.../.well-known/openid-configuration The URL of the OpenID Connect discovery document provided by your identity provider. This document contains metadata about the identity provider, including endpoints, supported scopes, and other configuration details. For Entra ID, use https://login.microsoftonline.com/%YOURGUID%/v2.0/.well-known/openid-configuration
Default Services Account Name <DefaultServiceAccountName> Enter Default Services Account Name. You can override these in the 'Advanced' tab
Installation Client ID Enter the Application (client) ID for your installation/daemon client. For Azure AD (Entra ID): This is the client ID from your NodiniteInstallationClient app registration. See Register Azure AD Apps for detailed setup.
Installation Client Scopes Enter one or more scopes to define the permissions granted to the installation client. Press Enter after each scope. For Azure AD (Entra ID): Use format api://<webApi-client-id>/.default. See Register Azure AD Apps for complete configuration guidance.
Installation Client Claims Specify the claims to include in tokens requested with the installation client credentials. At least one claim is required when using OAuth2 mode. For Azure AD (Entra ID): Use KEY: http://schemas.microsoft.com/ws/2008/06/identity/claims/role, VALUE: AppRole_WebApi_all. See Register Azure AD Apps for app role configuration.

Tip

Using Azure AD (Entra ID)? See the complete step-by-step guide: Register Nodinite Applications in Azure AD (Entra ID) with OpenID. That guide provides detailed instructions for creating the three required app registrations (webApi, webClient, NodiniteInstallationClient) and capturing all the values needed for these fields.

Authentication Tab with OAuth General settings
Example of the OAuth General settings section.

OAuth Web Client settings

In the Web Client settings section, you must provide the following information:

Authentication Tab with OAuth Web Client settings
Example of the OAuth Web Client settings section.

Field Label Default Value / Example Description
Require HTTPS Metadata Unchecked When enabled, the application will only accept metadata from the discovery URL if it is served over HTTPS. This ensures that the metadata is transmitted securely and cannot be tampered with during transit. For Azure AD (Entra ID): Leave this unchecked for production—see Register Azure AD Apps for details.
Client ID * nodinite-%ENVIRONMENTNAME%-webclient The client identifier registered with your identity provider for the Web Client application. This ID is used to identify the application during the authentication process. For Azure AD (Entra ID): See Register Azure AD Apps section 2.1.
Callback Path /signin-oidc The path where the identity provider will redirect users after they have authenticated. This should match the redirect URI registered with your identity provider.
Signed-Out Callback Path /signout-callback-oidc The path where the identity provider will redirect users after they have signed out. This should match the post-logout redirect URI registered with your identity provider.
Signed-Out Redirect URI * https://nodinite.local:41000/ The URI where users will be redirected after they have signed out. This should be a valid URI that is registered with your identity provider.
Access Denied Path / The path where users will be redirected if they are denied access to a resource. This can be a custom error page or a specific route in your application.
Scopes openid, profile, email, and offline_access The scopes that the application will request from the identity provider. These scopes determine the level of access and information that the application will receive about the authenticated user. The default scopes are openid, profile, email, and offline_access. For Azure AD (Entra ID): You must also add your custom API scope—see Register Azure AD Apps section 1.2 for the format and details. Press Enter after each scope to add it.
Nodinite Claims Specify at least one Nodinite claim to ensure secure access and proper tenant or environment context when using OAuth2 mode. Claims prevent user lockout and define how the application identifies users and environments. For Azure AD (Entra ID): See Register Azure AD Apps section 1.4 for how to configure group claims and find your security group Object ID.

OAuth Web API settings

In the Web API settings section, you must provide the following information:

  • Audiences - A list of valid audiences that the Nodinite Web API will accept. This should include the client IDs of any applications that will be accessing the Web API. Example: nodinite-%ENVIRONMENTNAME%-webapi.

Authentication Tab with OAuth Web API settings
Example of the OAuth Web API settings section.

OAuth Log API settings

In the Log API settings section, you must provide the following information:

  • Audiences - A list of valid audiences that the Nodinite Log API will accept. This should include the client IDs of any applications that will be accessing the Nodinite Log API. Example: nodinite-%ENVIRONMENTNAME%-logapi.

Authentication Tab with OAuth Log API settings
Example of the OAuth Log API settings section.

OpenID Connect & OAuth2 Integration – Diagrams and Configuration

Below are diagrams to help administrators of the Identity Provider (IDP) understand how Nodinite interacts with OpenID Connect and OAuth2, and what is required for proper configuration in the Nodinite Portal.

1. Authentication Flow Overview

sequenceDiagram participant User participant Nodinite Web Client participant Identity Provider (IDP) User->>Nodinite Web Client: Accesses application Nodinite Web Client->>IDP: Redirects for authentication (OIDC) IDP->>User: Prompts for login (if not already authenticated) User->>IDP: Provides credentials IDP->>Nodinite Web Client: Returns ID token & claims via redirect URI Nodinite Web Client->>User: Grants access based on claims/scopes style User fill:#87CEEB style Nodinite Web Client fill:#90EE90 style Identity Provider (IDP) fill:#FFD700

This diagram shows the basic OpenID Connect authentication flow between the user, Nodinite Web Client, and the Identity Provider. The IDP must be configured to recognize Nodinite as a client and provide the necessary claims and scopes.

2. Required IDP Configuration for Nodinite

graph TD subgraph "Identity Provider (IDP)" A[Register Nodinite Web Client] B[Register Nodinite Web API] C[Register Nodinite Log API] D[Configure Redirect URIs] E[Configure Scopes] F[Configure Claims] G[Assign Client Secrets] end A --> D A --> E A --> F A --> G B --> E B --> F B --> G C --> E C --> F C --> G style A fill:#FFD700 style B fill:#FFD700 style C fill:#FFD700 style D fill:#FFD700 style E fill:#FFD700 style F fill:#FFD700 style G fill:#FFD700

Administrators must register Nodinite applications in the IDP, configure redirect URIs, assign required scopes (e.g., openid, profile, email, offline_access), and ensure claims (such as tenant/environment context) are provided. Client secrets or certificates may be required for secure communication.

3. Claims and Scopes Mapping

flowchart LR subgraph IDP S[Scopes] C[Claims] end S -->|openid, profile, email, offline_access| N[Nodinite Portal] C -->|tenant, environment, roles| N style S fill:#87CEEB style C fill:#87CEEB style N fill:#90EE90

The IDP must provide the requested scopes and claims to Nodinite. These are mapped in the Nodinite portal fields for each client (Web Client, Web API, Log API).

Understanding Token Lifecycle and Caching

Important

Token Caching and Policy Changes

Nodinite caches authentication tokens from your Identity Provider to improve performance. Administrators must understand token caching when working with Claims, Policies, and Roles.

How Token Caching Works

When a user authenticates:

  1. User logs inNodinite redirects to your Identity Provider (IDP)
  2. IDP authenticates → Returns ID token and access token with claims
  3. Nodinite caches token → Token stored in server memory and browser session
  4. Token lifetime → Typically 1 hour (configured by your IDP's token expiration policy)
  5. Token expires → User must re-authenticate to get new token with updated claims

Critical Implications

IDP Changes Don't Take Immediate Effect

If you modify claims in your Identity Provider (Azure AD, Okta, etc.):

Scenario: You add a new claim "Department=IT" to a user in Azure AD

Timeline:
  T+0 min:  Change made in Azure AD
  T+0 min:  User already has cached token (without Department claim)
  T+5 min:  User logs out and logs back in
  T+5 min:  Still uses cached session token (no new authentication)
  T+60 min: Token expires
  T+61 min: User logs in again - NEW token includes Department=IT ✓

Key points:

  • Cached tokens persist for their full lifetime (typically 1 hour)
  • Logging out and back in may not force re-authentication (session cookie persists)
  • Browser cache clearing does not affect server-side token cache
  • IDP changes only apply when a new token is issued

Impact on Policy Changes

This is especially dangerous when modifying Policies:

Danger scenario:

1. Administrator adds new Claim to existing Policy (requires Department=IT)
2. Policy now blocks all users without Department=IT claim
3. Administrator realizes mistake and updates IDP to send Department=IT
4. Users still locked out for 1+ hours (cached tokens don't have the claim)
5. Even logout/login may not help (session token cached)

Recovery options:

  • Wait for token expiration - Typically 1 hour, safest option
  • Force re-authentication - Clear server-side session cache (requires server restart or cache flush)
  • Database fix - Remove problematic Claim from Policy directly in database
  • Logout/login - May not work (session token cached)
  • Browser cache - Doesn't affect server-side token cache

Best Practices for Administrators

Before Making Changes

  1. Test in non-production environment first
  2. Document current IDP claims - Know exactly what claims are currently provided
  3. Create test accounts - Never test with production admin accounts
  4. Have database backup - Ability to rollback Policy changes if needed

During Deployment

  1. Notify users - Inform users they may need to wait up to 1 hour for changes to take effect
  2. Schedule during low-usage windows - Minimize impact
  3. Create new Policies - Instead of modifying existing Policies
  4. Never modify Administrators Policy - Without tested backup plan

After Changes

  1. Wait for token expiration - Allow 1+ hours before troubleshooting
  2. Test with fresh login - Use incognito/private browsing to force new authentication
  3. Monitor access logs - Verify users can authenticate after token refresh
  4. Plan for token lifetime - Understand changes won't be instant

Token Configuration in Identity Providers

Azure AD (Entra ID)

Default token lifetimes:

  • Access tokens: 1 hour (not configurable in most tenants)
  • ID tokens: 1 hour (not configurable in most tenants)
  • Refresh tokens: 90 days (configurable)

To view token lifetime:

  1. Azure Portal → App Registrations → Your app → Token configuration
  2. Note: Microsoft has deprecated custom token lifetime policies for most tenants

Other Identity Providers

Consult your IDP documentation:

  • Okta: Access token lifetime configurable per authorization server (default 1 hour)
  • Auth0: Token lifetime configurable in application settings (default 10 hours for access tokens)
  • Google: Access tokens expire after 1 hour (fixed)

Troubleshooting Token Issues

Problem: User still locked out after IDP fix

Diagnosis:

# Check if issue is token caching
# Have user try these steps:
  1. Logout completely from Nodinite
  2. Close all browser windows
  3. Open incognito/private browsing window
  4. Navigate to Nodinite URL
  5. Login with fresh authentication

If still locked out:

  • Token may still be cached server-side
  • Verify IDP change was actually saved
  • Check Policy configuration in database
  • Consider restarting Nodinite Web Client service to clear server cache

Problem: Policy change not affecting users

Diagnosis:

# Verify the Policy was saved correctly
# Check :Nodinite: database:
SELECT PolicyId, PolicyName, Claims 
FROM NodiniteConfiguration.dbo.Policies
WHERE PolicyName = 'YourPolicyName'
  • If Policy shows correct Claims but users still have old permissions: Token caching
  • If Policy shows old Claims: Changes weren't saved

Emergency Access Recovery

If administrators are locked out:

-- Emergency: Temporarily remove problematic Claim from Policy
-- Connect to NodiniteConfiguration database
USE NodiniteConfiguration;
GO

-- Find the Policy
SELECT PolicyId, PolicyName, Claims
FROM dbo.Policies
WHERE PolicyName = 'Administrators';
GO

-- Backup before changing
SELECT * INTO dbo.Policies_BACKUP_20260123
FROM dbo.Policies
WHERE PolicyName = 'Administrators';
GO

-- Update Policy to remove problematic Claim
-- (This requires JSON manipulation - consult with :Nodinite: support)

Warning

Direct database changes bypass validation. Only perform emergency database fixes if:

  • All administrators are locked out
  • Token expiration wait (1+ hours) is not acceptable
  • You have database backup
  • You have consulted Nodinite support documentation

Next Step

Install Nodinite v7
Updating Nodinite v7
Managing the Web API - Learn how to call the Web API with OAuth 2.0 authentication
Register Nodinite Applications in Azure AD (Entra ID) with OpenID

Uninstall Nodinite v7
Managing the Web API - Code samples for PowerShell, C#, Java, and Node.js with OAuth 2.0