OpenID Auth
Overview
OpenID Auth enables endpoints to authenticate users via any OpenID-compliant service when using a Basic Authentication Destination. All requests made though API/Proxies that have OpenID Auth configured will require a Bearer JWT (JSON Web Token) authentication header provided by the configured OpenID Auth provider.
Configuration
The value of OpenIdAuths__0__Name must match Api/Proxies__0__OpenIdAuth.
OpenIdAuths__0__MetadataAddress is the URL to user's OpenID service.
Optional parameters are available for Scopes and Audience validation. OpenIdAuths__0__Audience is required audience for all incoming JWT requests, OpenIdAuths__0__AcceptedScopes is a comma-delimited list of scopes required to access the resource. A token matching any scope provided will be granted access.
EntraId can have various formatting of the Metadata Address and Issue depending on the configuration of the application registration.
For this reason, it is recommended to generate a token through your expected authentication method utilizing a tool such as Postman or Insomnia. Then use a inspect that token using jwt.ms to verify the issuer and audience.
In particular, the issuer can be from the domain sts.windows.net instead of the login.microsoftonline.com that is displayed in the EntraId UI. The Metadata Address can be created by adding /.well-known/openid-configuration to the end of the issuer on the token.
Example
OpenIdAuths__0__MetadataAddress: https://login.microsoftonline.com/3549dbc3-b4bd-4f9e-a1b1-dd8f9a1616ab/v2.0/.well-known/openid-configuration
OpenIdAuths__0__Name: entraId
OpenIdAuths__0__Audience: 767491da-d91a-498f-8bc4-64194180e432
OpenIdAuths__0__AcceptedScopes: auth,Material.Configure
Proxies__0__Server: sap-ensx-framework-basix-auth
Proxies__0__OpenIdAuth: entraId
Proxies__0__Path: 767387y8ync83275928735nc
ApiProxies__0__Server: sap-ensx-framework-basix-auth
ApiProxies__0__OpenIdAuth: entraId
ApiProxies__0__Path: hgdfkuy87e6876890900