Generic OIDC Auth
Use a Generic OpenID Connect (OIDC) provider for OAuth 2.0 flow and token lifecycle.
Getting Started
The Generic Auth Service allows you to integrate with any OpenID Connect (OIDC)
compliant identity provider (IDP). It discovers the JWKS (JSON Web Key Set) URL
either through the provider’s /.well-known/openid-configuration endpoint or
directly via the provided authUrl.
To configure this auth service, you need to provide the audience (typically
your client ID or the intended audience for the token), the authUrl of your
identity provider, and optionally a list of scopesRequired that must be
present in the token’s claims.
Behavior
Token Validation
When a request is received, the service will:
- Extract the
Bearertoken from theAuthorizationheader. - Fetch the JWKS from the configured
authUrl(caching it in the background) to verify the token’s signature. - Validate that the token is not expired and its signature is valid.
- Verify that the
aud(audience) claim matches the configuredaudience. - (Optional) If
scopesRequiredis provided, verify that the token’sscopeclaim contains all required scopes. - Return the validated claims to be used for Authenticated Parameters or Authorized Invocations.
Example
kind: authServices
name: my-generic-auth
type: generic
audience: ${YOUR_OIDC_AUDIENCE}
authUrl: https://your-idp.example.com
scopesRequired:
- read
- write
Tip
Use environment variable replacement with the format ${ENV_NAME} instead of hardcoding your secrets into the configuration file.
Reference
| field | type | required | description |
|---|---|---|---|
| type | string | true | Must be “generic”. |
| audience | string | true | The expected audience (aud claim) in the JWT token. This ensures the token was minted specifically for your application. |
| authUrl | string | true | The base URL of your OIDC provider. The service will append /.well-known/openid-configuration to discover the JWKS URI, or use it directly. |
| scopesRequired | []string | false | A list of required scopes that must be present in the token’s scope claim to be considered valid. |