Understanding Argus OpenID Provider integration#

Using an external OpenID provider for authentication is done by defining the provider in Argus with:

  • A provider_uri which will be redirected to when authentication is needed

  • An OAuth client_id to use to identify Argus as the authorizing application

  • A X509 certificate or JWKS file from the provider, which is used to verify the ID-tokens from the provider

When defined, users may log in to Argus using the OpenID Authorization Code Flow, or the Implicit Flow

Authorization Code Flow

  • Argus will redirect the user to the configured providers login page, with a callback URI back to Argus

  • Once authenticated, the user will be redirected back to Argus with an Authorization Code

  • Argus will contact the “token” endpoint of the ID provider to resolve the Authorization Code, and fetch an ID-token.

  • Argus will decode and validate the ID-token using the providers certificate, and identify the user account from the claims in the ID-token

  • Optional: If enabled in the configuration, Argus may create new user based on the claims in the ID-token. See “Automatic user mapping” below.

  • If successfully validated, Argus will initiate a session for the corresponding Argus user

Implicit Flow:

  • Argus will redirect the user to the configured providers login page, with a callback URI back to Argus

  • Once authenticated, the user will be redirected back to Argus with an OpenID ID-token

  • Argus will decode and validate the token using the providers certificate, and identify the user account from the claims in the ID-token

  • Optional: If enabled in the configuration, Argus may create new user based on the claims in the ID-token. See “Automatic user mapping” below.

  • If successfully validated, Argus will initiate a session for the corresponding Argus user

Note

The difference between these flows is that for Authorization Code Flow, Argus requires direct access to the ID-providers “token” endpoint.
This is more secure, but may require a firewall opening for a non-public ID-provider.