OpenID provider configuration

Configure the public keys for the provider

OPs sign ID tokens so that clients can ensure their authenticity. Identity Cloud exposes the URI where clients can check the signing public keys to verify the ID token signatures.

Enable the OIDC Provider Discovery endpoint

The discovery endpoint is enabled by default. Enable the endpoint if your clients need to discover the URL of the OP for a given user.

OIDC discovery

Configure pairwise subject types for dynamic registration

To provide different values to the sub claim in the ID token for different clients (refer to Subject Identifier Types), make sure that the Subject Types supported property on the Core tab of the OAuth 2.0 provider configuration includes pairwise. This is the default.

N/A

Specify whether Identity Cloud should return scope-derived claims in the ID token

Scope-derived claims, such as those returned when requesting the profile scope, are not returned in the ID token by default.

Claims

Configure how Identity Cloud maps scopes to claims and user profile attributes

Use scripts to map user profile attributes to claims and scopes.

Claims

OpenID Connect 1.0 claims

Configure the OP for dynamic application registration and management

Identity Cloud supports several methods of dynamic application registration.

You can also register applications manually.

Dynamic client registration

Add authentication requirements to ID tokens

Require end users to satisfy specific authentication rules or conditions when authenticating to the OP, such as using a specific authentication journey.

Authentication requirements

Configure Identity Cloud for GSMA Mobile Connect

Configure the OAuth 2.0 authorization server to act as a Mobile Connect provider.

Configure Mobile Connect

Configure the OP to encrypt ID tokens and logout tokens

By default, ID tokens and backchannel logout tokens are signed. If these tokens carry sensitive information about your end users, consider encrypting them.