\\
The plugin supports __OpenID Connect__ ([https://en.wikipedia.org/wiki/OpenID]), an authentication protocol built on top of the OAuth 2.0 ([https://en.wikipedia.org/wiki/OAuth]) authorization framework.\\
\\
__!!! Constraints__: It only works through __HTTP__ or __HTTPS__ protocol. __Authorization Code Flow__ is supported (Implicit Flow or Hybrid Flow are not supported). It requires __Enterprise License__.\\
\\
!!!1. Identity Provider's (IdP) general configuration\\
The plugin requires the following IdP information and configuration:\\
• Client ID\\
• Client Secret: Authorization Code Flow requires it.\\
• Redirect URL: The redirect URL is the endpoint in your IdP application where the IdP directs the user after successful authentication. This URL receives the authorization code or access token as part of the authentication process. The redirect URL must target the CrushFTP server and conclude with __/SSO_OIDC/__. Like:\\
{{{
https://yourCrushFTP.domain.com/SSO_OIDC/
}}}\\
\\
Google: [https://support.google.com/googleapi/answer/6158849]\\
\\
!!!2. Plugin Configuration\\
\\
!2.1 IdP related settings\\
\\
[attachments|CrushOIDC/oidc_idp_related_plugin_settings.png]\\
\\
__2.1.1 OpenID Configuration URL:__ \\
\\
__Dynamic endpoint:__\\
\\
This HTTP URL is part of the OpenID Connect (OIDC) Discovery mechanism. It follows a standard called __RFC 5785__ ([https://datatracker.ietf.org/doc/html/rfc5785]), which defines the use of __.well-known__ URIs for discovering metadata about services. It queries this HTTP endpoint to configure itself dynamically, avoiding hard-coded values. The retrieved JSON document includes important endpoints and details like:\\
•	Authorization endpoint\\
•	Token endpoint\\
•	User info endpoint\\
•	Supported scopes and claims\\
•	Public keys for verifying tokens\\
\\
List of __.well-known__ URLs for various identity providers and services that support OpenID Connect (OIDC):\\
{{{
Google:              https://accounts.google.com/.well-known/openid-configuration
Microsoft Azure AD:  https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration
Microsoft Azure B2C: https://{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
Amazon (Cognito):    https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration
Okta:                https://{yourOktaDomain}/.well-known/openid-configuration
Auth0:               https://{yourDomain}.auth0.com/.well-known/openid-configuration
Dropbox:             https://www.dropbox.com/.well-known/openid-configuration
}}}\\
\\
__Local endpoint:__\\
\\
You can reference a __local JSON file__ if the identity provider (IdP) does not support OpenID Connect but does support __OAuth 2.0__ (like Box cloud storage). Instead of specifying an HTTP URL, provide the path to a local JSON file, such as:\\
{{{
./box_open_id_config.json
}}}\\
\\
The JSON file should include the __authorization endpoint__. Example for Box cloud storage:
{{{
{
	"authorization_endpoint":"https://account.box.com/api/oauth2/authorize",
	"token_endpoint":"https://api.box.com/oauth2/token"
}
}}}
\\
__2.1.2 App registration related informations:__\\
\\
__Client ID__: Provide the Client ID (the unique identifier) of your IdP.\\
__Client Secret__: Provide the Client Secret of your IdP.\\
\\
__2.1.3 Authorization related settings:__\\
\\
__Authorization URL__: It is the endpoint where IdP initiates the authentication and authorization process. The default configuration would be:\\
{{{
{authorization_endpoint}?client_id={oidc_client_id}&response_type=code&scope={oidc_scope}&redirect_uri={oidc_redirect_url}&state={oidc_state}
}}}\\
\\
Variables:\\
• {authorization_endpoint}: Authorization URL of IdP, retrieved from the OpenID Configuration JSON.\\
• {oidc_client_id}: Client ID assigned by the IdP during app registration. Retrieved from plugin's "Client ID" setting.\\
• {oidc_scope}: Specifies the "Scope"(s) provided by the plugin to determine the level of access.\\
• {oidc_redirect_url}:  An autogenerated URL by CrushFTP, composed of the initial host and port, followed by __/SSO_IDC/__.  This URL is used to redirect the user after successful authentication. __It must exactly match the redirect URL registered and configured in the IdP.__\\
• {oidc_state}: An autogenerated value by CrushFTP to maintain the state between the authentication request and callback. This is used to prevent CSRF attacks. \\