--- title: OpenID Connect node (deprecated) description: Not supported in Advanced Identity Cloud component: auth-node-ref version: latest page_id: auth-node-ref:am-only:oidc canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/am-only/oidc.html keywords: ["Nodes & Trees", "Journeys", "Authentication", "OpenID Connect (OIDC)", "OAuth 2.0", "Social Authentication", "Authorization", "Account"] page_aliases: ["auth-node-oidc.adoc"] superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/am-only/oidc.html section_ids: availability: Availability outcomes: Outcomes configuration: Configuration --- # OpenID Connect node (deprecated) Not supported in Advanced Identity Cloud Lets AM authenticate users of OpenID Connect-compliant resource servers. As OpenID Connect is an additional layer on top of OAuth 2.0, described in RFC 6749, [The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/info/rfc6749). OpenID Connect is described in the [OpenID Connect Core 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-core-1_0.html) specification. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This node and its related services are deprecated.Find information on the current methods for implementing social authentication in [PingGateway](https://docs.pingidentity.com/pinggateway/2026/gateway-guide/preface.html). | The OpenID Connect node implements the [Authorization code grant](https://docs.pingidentity.com/pingam/8.1/am-oauth2/oauth2-authz-grant.html). ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | No | | PingAM (self-managed) | Yes | | Ping Identity Platform (self-managed) | No | ## Outcomes * `Account Exists` * `No account Exists` Evaluation continues along the `Account Exists` path if an account matching the attributes retrieved from the OpenID Connect identity provider is found in the identity store; otherwise, evaluation continues along the `No account exists` path. ## Configuration | Property | Usage | | ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Client ID *(required)* | Specifies the `client_id` parameter as described in [section 2.2 of The OAuth 2.0 Authorization Framework (RFC 6749)](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2). | | Client Secret *(required)* | Specifies the `client_secret` parameter as described in [section 2.3 of The OAuth 2.0 Authorization Framework (RFC 6749)](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3). | | Authentication Endpoint URL *(required)* | Specifies the URL to the social provider's endpoint handling authentication as described in [section 3.1 of The OAuth 2.0 Authorization Framework (RFC 6749)](https://www.rfc-editor.org/info/rfc6749#section-3.1).Example: `https://accounts.google.com/o/oauth2/v2/auth` | | Access Token Endpoint URL *(required)* | Specifies the URL to the endpoint handling access tokens as described in [section 3.2 of The OAuth 2.0 Authorization Framework (RFC 6749)](https://www.rfc-editor.org/rfc/rfc6749.html#section-3.2).Example: `https://www.googleapis.com/oauth2/v4/token` | | User Profile Service URL *(required)* | Specifies the user profile URL that returns profile information.If not specified, attributes are mapped from the claims returned by the `id_token`, and no call to a user profile endpoint is made.Example: `https://www.googleapis.com/oauth2/v3/userinfo` | | OAuth Scope | Specifies a list of user profile attributes that the client application requires, according to [The OAuth 2.0 Authorization Framework (RFC 6749)](https://www.rfc-editor.org/info/rfc6749).Ensure you use the correct scope delimiter required by the identity provider, including commas or spaces.The list depends on the permissions that the resource owner, such as the end user, grants to the client application. | | Redirect URL | Specifies the URL the user is redirected to by the social identity provider after authenticating.For authentication trees in AM, set this property to the URL of the UI. For example, `https://am.example.com:8443/am/XUI/`. | | Social Provider *(required)* | Specifies the name of the OpenID Connect provider for which this node is being set up.Example: `Google` | | Auth ID Key | Specifies the attribute the social identity provider uses to identify an authenticated individual.Example: `sub` | | Use Basic Auth | Specifies that the client uses HTTP Basic authentication when authenticating to the social provider.Default: `true` | | Account Provider | Specifies the name of the class that implements the account provider.Default: `org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider` | | Account Mapper | Specifies the name of the class that implements the method of locating local accounts based on the attributes returned from the social identity provider.The provided implementations is `org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper`.The Account Mapper classes can take two constructor parameters:1) A comma-separated list of attributes 2) A prefix to apply to their values.For example, to prefix all received property values with `openid-` before searching, specify:``` org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper|*|openid- ``` | | Attribute Mapper | Specifies the list of fully qualified class names for implementations that map attributes from the authorization server to AM profile attributes.The provided implementations is `org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper`.The Attribute Mapper classes can take two constructor parameters to help differentiate between the providers:1) A comma-separated list of attributes 2) A prefix to apply to their values.For example, to prefix incoming `iplanet-am-user-alias-list` values with `openid-`, specify:``` org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper ``` | | iplanet-am-user-alias-list | openid-To prefix all incoming values use an asterisk (`*`) as the attribute list. This prefixes all values, including email addresses, postal addresses, and so on. | | Account Mapper Configuration | Specifies the attribute configuration used to map the account of the user authenticated in the provider to the local identity store in AM.To add a mapping, specify the name of the provider attribute as the key, and the local attribute to map to as the value.For example, click Add, then specify `sub` in the Key field and `iplanet-am-user-alias-list` in the Value field, and click [icon: plus, set=fa]. | | Attribute Mapper Configuration | Specifies how to map provider user attributes to local user profile attributes.To add a mapping, specify the name of the provider attribute as the Key, and the local attribute to map to as the Value.For example, click Add, then specify `id` in the Key field and `facebook-id` in the Value field, and click [icon: plus, set=fa].Examples:``` first_name=givenname last_name=sn name=cn email=mail id=facebook-id first_name=facebook-fname last_name=facebook-lname email=facebook-email ``` | | Save attributes in the session | When enabled, saves the attributes in the Attribute Mapper Configuration field to the AM session. | | OAuth 2.0 Mix-Up Mitigation Enabled | Controls whether the authentication node carries out additional verification steps when it receives the authorization code from the authorization server.Specifies that the client must compare the issuer identifier of the authorization server upon registration with the issuer value returned as the `iss` response parameter. If they do not match, the client must abort the authorization process. The client must also confirm that the authorization server's response is intended for the client by comparing the client's client identifier to the value of the `client_id` response parameter.When this is enabled, set the Token Issuer property so that the validation can succeed. The authorization code response contains an issuer value (`iss`) for the client to validate. Refer to the authorization server's documentation for the value it uses for the issuer field.Learn more in [section 4 of OAuth 2.0 Mix-Up Mitigation Draft](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01#section-4). | | Token Issuer *(required)* | Corresponds to the expected issuer identifier value in the `iss` field of the ID token.Example: `https://accounts.google.com` | | OpenID Connect Validation Type *(required)* | Specifies how to validate the ID token received from the OpenID Connect provider.This ignores keys specified in JWT headers, such as `jku` and `jwe`.The following options are available to validate an incoming OpenID Connect ID token:- `Well Known URL` (Default) Retrieves the provider's keys based on the information provided in its OpenID Connect configuration URL. Specify the provider's configuration URL in the OpenID Connect Validation Value field; for example, `https://accounts.google.com/.well-known/openid-configuration`. - `Client Secret` Validates the ID token signature with a specified client secret key. Specify the key to use in the OpenID Connect Validation Value field. - `JWK URL` Retrieve the necessary JSON web key from the URL that you specify. Specify the provider's JWK URI in the OpenID Connect Validation Value field; for example, `https://www.googleapis.com/oauth2/v3/certs`. | | OpenID Connect Validation Value | Provide the URL or secret key used to verify an incoming ID token, depending on the value selected in the OpenID Connect Validation Type property. |