Step 1 - Save the client credentials
When you create an OIDC app, Iru generates a client ID and client secret. The secret is shown only once, so copy both into a secure place before closing the dialog. The app’s Protocol details also list the endpoints the service needs to talk to Iru:| Detail | What it is |
|---|---|
| Client ID | The app’s public identifier. |
| Well-Known URL | The OpenID discovery document; many services configure everything from this one URL. |
| Token Endpoint | Where the service exchanges an authorization code for tokens. |
| User Info Endpoint | Where the service reads profile claims for the signed-in person. |
Step 2 - Set redirect URIs
In the app’s draft, under the OIDC settings, add the URIs Iru is allowed to redirect to:Allowed sign-in redirect URIs
Where Iru returns the person after a successful sign-on. Add every URL the
service uses.
Redirect URIs must match exactly. There is an option to allow wildcards in
redirect URIs - leave it off unless the service specifically requires it, since
exact matching is safer.
Step 3 - Choose scopes
Scopes control which categories of claims the service may request. Iru offers the standard OpenID Connect scopes:| Scope | Grants access to |
|---|---|
OpenID (openid) | Required for OpenID Connect; always included. |
Profile (profile) | Basic profile claims. |
Email (email) | The person’s email. |
Address (address) | The person’s address. |
Phone (phone) | The person’s phone number. |
Offline access (offline_access) | A refresh token, so the service can stay signed in without re-prompting. |
Step 4 - Map the subject and claims
Open the application’s mapping. The mapping has a Subject plus any additional claims.Subject
The subject is the primary identifier for the signed-in person, sent as thesub claim. For an OIDC app, the default subject is mapped from the user’s
user.id. You can change the value it draws from and associate it with a scope.
Claims
Add any extra claims the service expects in the ID token. For each one you set:- A Name - the claim name.
- A value - the profile attribute or expression it draws from.
- A scope - the scope the claim belongs to.
- Whether it is enabled.
Step 5 - Rotate the client secret
The client secret can be rotated without re-creating the app, from the app’s Protocol details → Client secrets.Rotate
Rotate
Rotate issues a new client secret while the previous one keeps working for
24 hours, so you can update the service before the old secret stops. During
that window the previous secret is listed with an Expires Soon badge; a
newly issued secret is long-lived.
Invalidate
Invalidate
Invalidate ends the current secret immediately, with no grace period. Use
it if a secret may have been exposed, then update the service right away.
Iru manages the signing keys it uses to sign ID tokens and publishes them at the
discovery and keys endpoints, so services validate tokens automatically - there
is nothing to rotate by hand.
Step 6 - Publish, assign, and activate
Assign access
Assign the users or groups who should have the app. See
Assigning access.
Authentication flow
An OIDC app signs people in with the authorization code flow:Authenticate and evaluate policy
Iru authenticates the person and evaluates the app’s
authentication policy.
Return an authorization code
Iru redirects back to the app’s redirect URI with a short-lived
authorization code.
Exchange the code for tokens
The app exchanges the code at Iru’s token endpoint for an ID token (who
the person is) and an access token.
Where to go next
Assigning access
Grant the app to users and groups.
Provisioning
Create and remove accounts in the app automatically as access changes.
Authentication policies
Decide who can sign in and what they must prove.
Applications overview
Review protocols and the draft-to-current version model.