Authenticate using OIDC Authenticator

After the OIDC Authenticator is configured, you can send an authentication request.

Use the API request details appropriate for your use case:

  • OIDC Authenticator for application authentication: The CyberArk OIDC Authenticator leverages the identity layer provided by OIDC to enable applications to authenticate with and retrieve secrets needed for connecting to resources such as a database.

  • OIDC Authenticator for Conjur UI or CLI authentication: Use the OIDC Authenticator to enable users to sign in to the Conjur UI or Conjur CLI using your organization's existing identity provider (IdP) implementation. This enhances security and product experience for organizations that require single sign-on (SSO) and multi-factor authentication (MFA).

For more information about the OIDC Authenticator, see OpenID Connect (OIDC) Authenticator.

OIDC Authenticator for application authentication

URI

  
POST https://{Conjur-server-hostname}/authn-oidc/{service-id}/{account}/authenticate

URI parameters

service-id

The ID of the OIDC Provider, for example okta

account

The organization account name
 

The following characters are not supported in URI values: + & % :

Request

Header

 
Accept-Encoding: base64
Content-Type: application/x-www-form-urlencoded
 

To encode the access token, you need to include base64 as the encoding format in the Accept-Encoding header. If base64 is not included in the header, a raw token is returned using application/json as the content type.

Body

The request body must include the ID token that identifies the user:

id_token: "eyJhbGciOiJSUzI1NiIs......uTonCA"

Example REST request

  
curl -k --request POST 'https://example.com/authn-oidc/myorg/authenticate' --header 'Content-Type: application/x-www-form-urlencoded' --header "Accept-Encoding: base64" --data-urlencode 'id_token: "eyJhbGciOiJSUzI1NiIs......uTonCA"'

Response

Code

Description

200

The response body is the access token.

401

The request lacks valid authentication credentials.

Response 200 example using a token

Header

  
Content-Encoding: base64
Content-Type: text/plain

Body

Returns a Base64 access token of the user whose ID token is provided in the input:

  
eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkyTXpka05HWTFZMlU1WVdJd05ESTVOR0ZpWkRNNFptTmhPV00zWW1Nek5qWTVaak16TWprNU5UUXdZamhsTm1ZeU5tRTBNVGM1T0RFeE1HSm1aRGcwSW4wPSIsInBheWxvYWQiOiJleUp6ZFdJaU9pSmhaRzFwYmlJc0ltbGhkQ0k2TVRVNU9EYzJPVFUwTUgwPSIsInNpZ25hdHVyZSI6Ik5ya25FQTc2MnoweC1GVmRRakZHZVRUbkJzeXFBdlBHSWEyZUxZV3IyYVVGZDU5dHk0aGMxSlRsVGptdmpGNWNtVDNMUnFGbDhYYzNwMDhabEhjbVc0cTdiVnFtM21odmZEdVNVaE13RzhKUk4yRFZQVHZKbkFiT1NPX0JGdWhKdmk2OGJEVGxZSFFmUF81WHY1VWtuWHlLUDR2dGNoSjloMHJuVXN0T0F1YWlkM0RyQW5RV1c2dDRaMzRQajJhT2JrTkZ1TlMxNDBsamNwZ1A1dHdfU19ISzB6d1dlSXF4cjh6eUpTbk5aNjJ1WlhZV25zU051WGZtSWdtVVo2cTJFeVZWWUJ1Zk5SZTNVUmFkU09OYjRIcnFyX21UaGctWHUzMjA2N1h3QmNWZ3lWQ0JrcWtybktuRW1vRzlMRWs2ZjdNQVpDX1BXZnA4NXQ1VFFhVm1iZFlqT2lDTW9GMFoxYkhyZGN2MC1LRnpNRGxHa0pCS1Jxb0xYYkFGakhjMCJ9

For more information about using the access token, see Authenticate.

OIDC Authenticator for Conjur UI or CLI authentication

URI

  
GET https://<conjur-server-hostname>/authn-oidc/<service-id>/<account>/authenticate?code=<code>&nonce=<nonce>&code_verifier=<code_verifier>

URI parameters

service-id

The ID of the OIDC Provider, for example identity

account

The organization account name

code

Code value returned from the OIDC provider after successfully authenticating.

nonce

The nonce value which was sent to the OIDC provider during the authentication redirect

code_verifier

PKCE code verifier value that was used to generate the Base64 encoded SHA256 hash digest sent to the OIDC provider during the authentication redirect.
 

The following characters are not supported in URI values: + & % :

Request

Header

 
Accept-Encoding: base64
Content-Type: application/x-www-form-urlencoded
 

To encode the access token, you need to include base64 as the encoding format in the Accept-Encoding header. If base64 is not included in the header, a raw token is returned using application/json as the content type.

Response

Code

Description

200

The response body is the access token.

400

This response indicates one of the following:

  • Missing parameters

  • Failure to retrieve an OIDC token, for example if the OIDC provider URL is not valid, the client id or secret is incorrect, the PKCE check failed, the code was previously used, or a corresponding Conjur role was not found with permission to authenticate)

  • Failed to validate the retrieved OIDC token, indicating that the provided nonce does not match

401

This response indicates one of the following:

  • The OIDC token is missing a claim or the claim is empty

  • An unhandled error occurred

Response 200 example using a JSON object

Header

  
Content-Encoding: base64
Content-Type: text/plain

Body

Returns a Base64 access token of the user whose ID token is provided in the input:

  
eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUkyTXpka05HWTFZMlU1WVdJd05ESTVOR0ZpWkRNNFptTmhPV00zWW1Nek5qWTVaak16TWprNU5UUXdZamhsTm1ZeU5tRTBNVGM1T0RFeE1HSm1aRGcwSW4wPSIsInBheWxvYWQiOiJleUp6ZFdJaU9pSmhaRzFwYmlJc0ltbGhkQ0k2TVRVNU9EYzJPVFUwTUgwPSIsInNpZ25hdHVyZSI6Ik5ya25FQTc2MnoweC1GVmRRakZHZVRUbkJzeXFBdlBHSWEyZUxZV3IyYVVGZDU5dHk0aGMxSlRsVGptdmpGNWNtVDNMUnFGbDhYYzNwMDhabEhjbVc0cTdiVnFtM21odmZEdVNVaE13RzhKUk4yRFZQVHZKbkFiT1NPX0JGdWhKdmk2OGJEVGxZSFFmUF81WHY1VWtuWHlLUDR2dGNoSjloMHJuVXN0T0F1YWlkM0RyQW5RV1c2dDRaMzRQajJhT2JrTkZ1TlMxNDBsamNwZ1A1dHdfU19ISzB6d1dlSXF4cjh6eUpTbk5aNjJ1WlhZV25zU051WGZtSWdtVVo2cTJFeVZWWUJ1Zk5SZTNVUmFkU09OYjRIcnFyX21UaGctWHUzMjA2N1h3QmNWZ3lWQ0JrcWtybktuRW1vRzlMRWs2ZjdNQVpDX1BXZnA4NXQ1VFFhVm1iZFlqT2lDTW9GMFoxYkhyZGN2MC1LRnpNRGxHa0pCS1Jxb0xYYkFGakhjMCJ9