Generic OIDC provider
Outlines the steps to authenticate using a generic OIDC provider with Optimizely Graph.
Prerequisites
- You must use an OpenID Connect (OIDC) provider like Okta.
- A separate key to configure the OIDC endpoints. Contact Optimizely Support to request it.
Authorization flow
The following diagram shows the configuration of an OIDC provider in Optimizely:
JSON web token (JWT)
The JSON web token (JWT) must include specific claims such as roles
and preferred_username
for proper authentication and authorization.
The following is an example JWT. It establishes a secure connection between your application and Optimizely. It ensures that only authenticated users can access specific resources and perform actions based on their assigned roles and permissions.
{
"ver": 1,
"jti": "AT.NEjTGbsWFYlRSsCebzkOnYL8dg4vxMTa00oFnJHrYvU",
"iss": https://dev-69967914.okta.com/oauth2/default,
"aud": "api://default",
"iat": 1734541108,
"exp": 1734544708,
"cid": "0oalyh8sx9IofUzDA5d7",
"uid": "00yly5t8nrCK5D5hU5d7",
"scp": [
"opti_graph",
"openid"
],
"auth_time": 1000,
"sub": [email protected],
"roles": [
"Everyone"
],
"preferred_username": [email protected]
}
Configuration steps
To integrate an OIDC provider with Optimizely Graph, you must configure the OIDC settings to verify the JWT.
-
Configure OIDC endpoints – Send a
PUT
request to the OIDC REST API endpoint:<https://cg.optimizely.com/api/config/oidc>
with a Basic or HMAC authorization header. See Upsert OIDC config API reference for information.curl -XPUT \ -H 'Authorization: Basic {appKey}:{secret}' \ -d '{ "issuer": "{your_issuer}", "audience": "{your_audience}", }' https://cg.optimizely.com/api/config/oidc
-
JWT payload requirements – Ensure your JWT payload includes
issuer
,audience
,roles
, andpreferred_username
claims.{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022, "iss": "{your_issuer}", "audience": "{your_audience}", "roles": ["Everyone"], "preferred_username": "[email protected]" }
-
Send GQL query – Send your GraphQL query to the query endpoint with your JWT. See Get started with the GraphQL API for information on the GraphQL query endpoint.
curl -XPOST -H 'Authorization: Bearer {jwt_token}' -d '{query}' https://cg.optimizely.com/content/v2?tenant_id={your_tenant_id}
Note
The
tenant_id
must be passed as a query string. Contact Optimizely Support to request it.
Example configuration with Okta
The following steps configure Okta as an OIDC provider with Optimizely Graph.
Configure the example
- Follow Okta's documentation to Create an OIDC SPA App in Okta Admin Console.
- Go to Security > API to modify the default authorization server.
- On the Access policies tab, click Add policy. Add a policy. See Okta's Create access policies documentation.
- Click Add rule. Add a default rule to the policy. See Create rules for each access policy.
Preview the JWT
- On the Token preview tab, enter the required information.
- Click Preview token to check the decoded JWT. You should see the default claims (except
roles
andpreferred_username
) in the token.
Create roles
claim
roles
claim- On the Claims tab, click Add claim.
- Enter roles for the Name.
- Select Groups for the Value type drop-down list.
- Select Matches regex for the Filter drop-down list.
- Enter .* for Matches regex.
- Click Create.
Create preferred_username
claim
preferred_username
claim- On the Claims tab, click Add claim.
- Enter preferred_username for the Name.
- Enter user.email for theValue.
- Click Create.
Note
See Customize tokens returned from Okta with custom claims for more information.
Register the OIDC configuration
- On the Token preview tab, enter the required information.
- Click Preview token to check the decoded JWT. You should see the default claims (including the newly added
roles
andpreferred_username
) in the token. - Send a
PUT
request to the Upsert OIDC config REST API endpoint. Use the information found in the JWT.Note
You must use Basic or HMAC authorization wiht the Upsert OIDC config REST API endpoint.
Updated 12 days ago