OpenIDConnect configuration entries

Enables decoding of the Access Token so roles and scopes provided by the identity provider can be retrieved. By default, only the ID token is decoded. See Enable access token decoding.

Values:

• true — Enable Access Token decoding.
• false — Do not decode the Access Token.

false

Controls how the service redirects the browser to start the initial Genero application after the SSO handshake has granted access. See Configure application starting mode.

Values:

• gnonce

  Uses a once-off gnonce value sent by the client to establish identity. Preferred when multiple browser tabs may be opened in quick succession.

• cookie

  Uses a cookie sent by the client to verify identity before starting the app.

gnonce

Specifies the redirect method used to send the authentication request when an HTTP 302 redirect is not suitable for the IdP or user agent. See Configure OAuth redirect with automatic form submit.

Values:

• 302

  Performs a standard HTTP 302 redirect.

• GET

  Performs an automatic HTML form submit using the GET method.

• POST

  Performs an automatic HTML form submit using the POST method.

302

Controls how the OpenIDConnect service verifies that all requests for the same SSO workflow come from the same client IP address. See Configure management of client remote IP address.

Values:

• Remote-Addr

  The service uses the REMOTE_ADDR variable set by the web server to verify if different requests come from the same client.

  Note:

  In a cloud or reverse proxy environment, this option may not be valid, as requests may be routed from several different proxies.

• X-Forwarded-For

  The service uses the X-Forwarded-For header to determine the originating client IP. Select this option if your network uses reverse proxies or supports a cloud solution.

• Remove or comment out oidc.client.check to disable IP checking.

Remote-Addr

Specifies the default URL where the OpenIDConnectServiceProvider redirects the browser after logout.

Specifies the parameter used by the OpenID Connect provider to identify the user during a logout request. For an example of use, go to Configure SSO logout from AWS Cognito.

The value depends on the requirements of your Identity Provider (IdP). Check your IdP documentation to determine which parameter is needed.

Values:

• id_token_hint

  Uses the ID token to identify the user. This is the default and is required by most providers.

• client_id

  Uses the application's client_id as the logout identifier. Some providers (like AWS Cognito) require this value.

id_token_hint

Defines the logout parameter that provides the redirect URL to the Identity Provider. The required parameter depends on your IdP, so refer to the provider’s documentation to determine the correct value.

Values:

• post_logout_redirect_uri

  Uses the standard OpenID Connect logout parameter. This is the default and is required by most providers.

• Provider‑specific parameter names (depending on the IdP’s logout endpoint requirements). Some IdPs (like AWS Cognito) may require a different attribute.

post_logout_redirect_uri

Defines the format used during OAuth ID token exchange. Applies only if the IdP uses OAuth2 and requires the authentication to be performed in JSON. See Set exchange format for OAuth ID token.

Values:

• url-encoded
• json

If the IdP uses the OpenID Connect protocol instead of OAuth2, this entry is not taken into account, as url-encoded is always used.

url-encoded