Configuring OpenID Connect (OIDC)

AMT uses Microsoft Entra ID as the OIDC provider by default. This page explains how to configure AMT applications to make use of OpenID Connect (OIDC) authentication.

Each AMT application consists of a front end and a business logic end. In OAuth terms the front ends are relying parties, the business logic ends are resource servers. Each of these applications should be added to an OpenID Connect identity provider.

Access to the Control Center

Authentication

1. Find the authentication section in the cc-config.yaml file.
2. The server needs to be configured with the same ID used by the identity provider. Configure the following settings:
   1. issuerURL: The URL of the OpenID Connect authentication provider.
   2. clientID: The ID used for authentication on the OIDC server.
      

      authentication:
        type: OIDC
        clients:
          rest:
            settings:
              issuerURL: issuerURL: https://login.microsoftonline.com/<Server ID Key>/v2.0
              clientID: <Client ID Key>
                      

3. Save the file.

OpenID Connect Configuration

Configure the following settings for the client:

1. Navigate to the following folder: ..\<AMT Environment>\Binaries\control-center\frontend\assets.
2. Open the oidcconfig.json file in a text editor.
3. Configure the following settings:
   1. "issuer": The URL of the OIDC authentication provider.
   2. "clientId": The ID used for authentication on the OIDC server.
      

      {
        "AuthenticationConfig": {
          "issuer": "https://login.microsoftonline.com/<ID key>/v2.0",
          "redirectUri": "http://localhost:4200/control-center",
          "clientId": "<ID key>",
          "scope": "openid profile api://<id>/DefaultApi offline_access",
          "responseType": "code",
          "claimUserName": "preferred_username",
          "tokenRefreshThreshold": 15,
          "loginButtonLogo": "assets/image/<image>.png"
        }
      }
              

4. Save the file.

Business Logic (Resource Servers)

The backend (REST / WebAPI) endpoints validate tokens received by the front ends to create a session. Ensure the token validation settings use the same claim for user identification as configured in the front end files.

1. In cc-config.yaml , verify the claimUserName setting matches the claim used by the front end (oidcconfig.json).
2. Ensure scopes / audiences align: the scope values configured in oidcconfig.json should request access allowing calls to the intended resource servers. Separate scopes for each application are advised.
3. If role claims are used (claimUserRoles set to OAUTH), configure claimRolesKey and roleMapping accordingly so that token validation maps external roles to AMT roles.

Additional OIDC Information

Visit the pages below to visit topics related to OIDC:

• Role Mapping
• gRPC Service-to-Service Authentication
• AMT JCL OIDC Configuration

OIDC settings are configured in the following files:

• Control Center Config File
• Application Config File
• OIDC Config File
• JCL Config File