Understanding Argus OpenID Provider integration¶

Using an external OpenID provider for authentication is done by defining the provider in Argus with:

A provider_uri which will be redirected to when authentication is needed
An OAuth client_id to use to identify Argus as the authorizing application
A X509 certificate or JWKS file from the provider, which is used to verify the ID-tokens from the provider

When defined, users may log in to Argus using the OpenID Authorization Code Flow, or the Implicit Flow

Authorization Code Flow

Argus will redirect the user to the configured providers login page, with a callback URI back to Argus
Once authenticated, the user will be redirected back to Argus with an Authorization Code
Argus will contact the "token" endpoint of the ID provider to resolve the Authorization Code, and fetch an ID-token.
Argus will decode and validate the ID-token using the providers certificate, and identify the user account from the claims in the ID-token
Optional: If enabled in the configuration, Argus may create new user based on the claims in the ID-token. See "Automatic user mapping" below.
If successfully validated, Argus will initiate a session for the corresponding Argus user

Implicit Flow:

Argus will redirect the user to the configured providers login page, with a callback URI back to Argus
Once authenticated, the user will be redirected back to Argus with an OpenID ID-token
Argus will decode and validate the token using the providers certificate, and identify the user account from the claims in the ID-token
Optional: If enabled in the configuration, Argus may create new user based on the claims in the ID-token. See "Automatic user mapping" below.
If successfully validated, Argus will initiate a session for the corresponding Argus user

Note

The difference between these flows is that for Authorization Code Flow, Argus requires direct access to the ID-providers "token" endpoint.
This is more secure, but may require a firewall opening for a non-public ID-provider.