The WebLogic OpenID Connect provider combines authentication and identity assertion into a single provider. The provider establishes identity (the Subject) on WebLogic Server with the authenticated user and the user's groups when the identity store is a supported OpenID provider.

The WebLogic OpenID Connect provider consumes ID tokens for authenticating to applications and uses them to establish authenticated subjects.

The WebLogic OpenID Connect provider is controlled by OIDCIdentityAsserterMBean and includes the following configuration attributes:

• ClockScrew
• KeyCacheSize
• KeyCacheTTL
• RequestCacheSize
• RequestCacheTTL
• UserIDTokenClaim
• UserNameTokenClaim
• VirtualUserAllowed

For information on these attributes, see OIDCIdentityAsserterMBean in MBean Reference for Oracle WebLogic Server.

The WebLogic OpenID Connect provider currently supports the following OpenID providers:

• Keycloak

• Microsoft Azure

The WebLogic OpenID Connect provider is an authentication and identity assertion provider that delegates authentication services for web applications to OpenID providers.

1. In WebLogic Remote Console, expand the Edit Tree and go to Security, then Realms, then myRealm, then Authentication Providers.
2. Click New.
3. Enter a name for the new provider in the Name field.
4. From the Type drop-down list, select the WebLogic OpenID Connect Identity Asserter provider.
5. Click Create.
6. On the Common tab, update any attributes applicable to your environment and click Save.
7. On the OIDC Identity Asserter Parameters tab, update any attributes applicable to your environment.
8. Click Save.
9. If you are using the Default Authenticator provider (WebLogic Authentication provider), then you must set the JAAS Control Flag option on the Default Authenticator to SUFFICIENT. See Set the JAAS Control Flag in Oracle WebLogic Remote Console Online Help.
   For a description of the JAAS control flag and how multiple authentication providers interact in a domain, see Setting the JAAS Control Flag Option and Using More Than One Authentication Provider.

Before you can use the WebLogic OpenID Connect provider to delegate authentication of web applications to an OpenID provider, you must create an OAuth client in the OpenID provider and then include certain client attributes in the web application.

You must create an oidcAuth.properties file that contains the configuration information that WebLogic Server uses to determine which OpenID provider is responsible for providing authenticating services for the application.

1. In the WEB-INF/ directory of the web application, create a new file and save it as oidcAuth.properties.
2. Retrieve the following configuration attributes from the OAuth client in the OpenID provider and add them to oidcAuth.properties in the following format:

   issuer=issuer identifier
   clientId=client ID
   clientSecret=client secret
   redirectUrl=redirect URL

   For example:

   issuer=https://example.com:8443:/realms/dev
   clientId=devclient
   clientSecret=57gw6LVlkWUTWDmbksiwH96ihFgpbF6d8
   redirectUrl=https://organization.com:7002/devapp/go

3. Save your changes.
4. Continue with your application development and deployment process.