Decentralized Authentication with OpenID Connect (OIDC) in WeCare Resolve
This article describes the implementation of decentralized authentication with the OpenID Connect (OIDC) protocol in WeCare Resolve.
Benefits of OpenID Connect
Reduction of sensitive login credentials (data minimization): When using OIDC, WeCare Resolve does not store passwords or cryptographic password hashes. The responsibility for securely verifying identity and enforcing security policies (such as multi-factor authentication or password rotation) lies entirely with the chosen identity provider (IdP). This reduces the application’s attack surface, as no credentials can be stolen in the event of a potential compromise of the application database.
Lower barriers to registration: When using SSO, users access WeCare Resolve with their already existing organizational accounts. Since no credentials need to be created, the registration process is significantly simplified.
OpenID and Identity Providers (IdP)
When the optional OIDC feature is enabled, WeCare Resolve can delegate authentication to an external Identity Provider (IdPs). An IdP is an independent service (e.g., a company’s Active Directory, an eID system, or an established single sign-on provider) responsible for managing users’ identities.
The OIDC login flow works as follows:
Users select the option “Sign in with Identity Provider” on the WeCare Resolve login page.
The application redirects the users to the configured IdP.
The IdP authenticates the users using its own security protocols (MFA, etc.).
After successful authentication, the IdP sends an identity token back to WeCare Resolve and grants access to the application.
How to Configure OpenID Connect in WeCare Resolve
Prerequisites
An identity provider that supports OpenID Connect
The Client ID and Issuer URL provided by the IdP. Additionally:
a Client Secret, if the identity provider does not support FAPI 2.0.
Step-by-Step Configuration
Log in to the management interface. Navigate to Settings > Login.
Enable the option OpenID Connect (OIDC).
Enter IdP Credentials:
Issuer: Enter the URL of the OIDC issuer.
Client ID: Enter the client ID generated by the IdP.
When using OIDC with a private key:
- Secret Client Key: Enter the securely generated client secret.
Display Name: Enter the name for this IdP to be displayed to users on the login page.
Save the settings.
Make Settings in the Identity Provider (IdP)
To ensure communication between your IdP and WeCare Resolve, the following parameters must be stored for the client in the IdP:
- Redirect URL (Callback): Store the URL of your instance in the field for allowed redirect URLs. Replace the placeholder
<...>with the actual domain and path of the WeCare Resolve instance:
https://<wecare-resolve-domain-path>/oidc/callback
Scopes: Ensure that the client has access to the configured scopes (default: openid, profile, and email).
Authentication Method: When authenticating with a secret key, WeCare Resolve uses the Basic Authentication method. If you are using FAPI 2.0, ensure that your identity provider supports the key algorithm (ES256 or PS256).