OIDC environment variables

Environment variables automatically set by the Genero OpenID Connect service after successful authentication and before the application starts.

Overview

After a user is successfully authenticated through OpenID Connect (OIDC), the Genero OpenID Connect service populates a set of environment variables in the application process. All attributes received from the identity provider (IdP) are exposed using the prefix OIDC_ and are available to your application before execution begins.

Use fgl_getenv() to retrieve these variables in your application. The identity provider supplies the claim names and their values in the ID token, and, if access‑token decoding is enabled, from the decoded access token as well. For example, if the IdP returns an email claim, you can access it with:

LET userEmail = fgl_getenv("OIDC_EMAIL")

Common OIDC_ variables

The exact set of variables depends on your IdP and the claims configured in the SCOPE parameter for the application. The variables are grouped below by their purpose.

Table 1. Identity provider variables
Variable	Description
`OIDC_IDP_ISSUER`	The issuer URL of the Identity provider.
`OIDC_IDP_TOKEN_ENDPOINT`	The endpoint where to request tokens.
`OIDC_REGISTRATION_ENDPOINT`	The registration endpoint URL provided by the IdP, if available. This can be used to register or unregister a client application. For example of use, go to Retrieve registration endpoint
`OIDC_USERINFO_ENDPOINT`	The userinfo (profile) endpoint URL that can be used to request personal data (name, email, phone number, and so on) from a user.

Table 2. Authentication and authorization variables
Variable	Description
`OIDC_ACCESS_TOKEN`	The access token obtained during authentication. This token can be used to request API from secured services.
`OIDC_REFRESH_TOKEN`	The refresh token obtained during authentication, when the IdP issues one. This token can be used by the service to obtain new access tokens when the current one expires.
`OIDC_ROLES`	Roles determine who can access the application (for example, which users are permitted to use or view specific features). User roles are derived from the role claims present in the ID Token, if defined. For example of use, go to Retrieve roles and scopes
`OIDC_SCOPES`	Scopes define what the application can do on behalf of the user (for example, read but not write data). User scopes are derived from the scope claims present in the ID Token, if defined. For example of use, go to Retrieve roles and scopes
`OIDC_SUB`	The unique identifier of the user on the specified identity provider. Important: Even when no optional claims are returned, the `OIDC_SUB` variable is always set. This value is a non‑human‑readable, opaque value representing the IdP's subject identifier for the authenticated user.
`OIDC_TOKEN_EXPIRES_IN`	The expiration date of the access token.

Table 3. User-specific variables
Variable	Description
`OIDC_claim`	Those variables are specific to each identity provider, and the provider defines them during user authorization. They get defined during user authorization, by sending a request to the identity provider’s `userinfo` endpoint. Each piece of information returned by the `userinfo` endpoint is transformed into an `OIDC_*` variable. A non‑exhaustive set of possible variables includes `OIDC_EMAIL`, `OIDC_GIVEN_NAME`, `OIDC_FAMILY_NAME`, and others. Check the identity provider’s specifications to determine the full list of claims that its `userinfo` endpoint provides.