\\
The plugin supports __OpenID Connect__ ([https://en.wikipedia.org/wiki/OpenID]), an authentication protocol built on top of the OAuth 2.0 ([https://en.wikipedia.org/wiki/OAuth]) authorization framework.\\
\\
__!!! Constraints__: It only works through __HTTP__ or __HTTPS__ protocol. __Authorization Code Flow__ is supported (Implicit Flow or Hybrid Flow are not supported). It requires __Enterprise License__.\\
\\
!!!1. Identity Provider's (IdP) general configuration\\
The plugin requires the following IdP information and configuration:\\
• Client ID\\
• Client Secret: Authorization Code Flow requires it.\\
• Redirect URL: The redirect URL is the endpoint in your IdP application where the IdP directs the user after successful authentication. This URL receives the authorization code or access token as part of the authentication process. The redirect URL must target the CrushFTP server and conclude with __/SSO_OIDC/__. Like:\\
{{{
https://your.domain.com/SSO_OIDC/
}}}\\
\\
Google: [https://support.google.com/googleapi/answer/6158849]\\
\\
!!!2. Plugin Configuration\\
\\
!2.1 IdP related settings\\
\\
[attachments|CrushOIDC/oidc_idp_related_plugin_settings.png]\\
\\
__2.1.1 OpenID Configuration URL:__ \\
\\
__Dynamic endpoint:__\\
\\
This HTTP URL is part of the OpenID Connect (OIDC) Discovery mechanism. It follows a standard called __RFC 5785__ ([https://datatracker.ietf.org/doc/html/rfc5785]), which defines the use of __.well-known__ URIs for discovering metadata about services. It queries this HTTP endpoint to configure itself dynamically, avoiding hard-coded values. The retrieved JSON document includes important endpoints and details like:\\
•	Authorization endpoint\\
•	Token endpoint\\
•	User info endpoint\\
•	Supported scopes and claims\\
•	Public keys for verifying tokens\\
\\
List of __.well-known__ URLs for various identity providers and services that support OpenID Connect (OIDC):\\
{{{
Google:              https://accounts.google.com/.well-known/openid-configuration
Microsoft Azure AD:  https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration
Microsoft Azure B2C: https://{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
Amazon (Cognito):    https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration
Okta:                https://{yourOktaDomain}/.well-known/openid-configuration
Auth0:               https://{yourDomain}.auth0.com/.well-known/openid-configuration
Dropbox:             https://www.dropbox.com/.well-known/openid-configuration
}}}\\
\\
__Local endpoint:__\\
\\
You can reference a __local JSON file__ if the identity provider (IdP) does not support OpenID Connect but does support __OAuth 2.0__ (like Box cloud storage). Instead of specifying an HTTP URL, provide the path to a local JSON file, such as:\\
{{{
./box_open_id_config.json
}}}\\
\\
The JSON file should include the __authorization endpoint__. Example for Box cloud storage:
{{{
{
	"authorization_endpoint":"https://account.box.com/api/oauth2/authorize",
	"token_endpoint":"https://api.box.com/oauth2/token"
}
}}}
\\
__2.1.2 App registration related informations:__\\
\\
__Client ID__: Provide the Client ID (the unique identifier) of your IdP.\\
__Client Secret__: Provide the Client Secret of your IdP.\\
\\
__2.1.3 Authorization related settings:__\\
\\
__Authorization URL__: It is the endpoint where IdP initiates the authentication and authorization process. The default configuration would be:\\
{{{
{authorization_endpoint}?client_id={oidc_client_id}&response_type=code&scope={oidc_scope}&redirect_uri={oidc_redirect_url}&state={oidc_state}
}}}\\
\\
Variables:\\
• {authorization_endpoint}: Authorization URL of IdP, retrieved from the OpenID Configuration JSON.\\
• {oidc_client_id}: Client ID assigned by the IdP during app registration. Retrieved from plugin's "Client ID" setting.\\
• {oidc_scope}: Specifies the "Scope"(s) provided by the plugin to determine the level of access.\\
• {oidc_redirect_url}:  An autogenerated URL by CrushFTP, composed of the initial host and port, followed by __/SSO_IDC/__.  This URL is used to redirect the user after successful authentication. __!!! It must exactly match the redirect URL registered and configured in the IdP.__\\
• {oidc_state}: An autogenerated value by CrushFTP to maintain the state between the authentication request and callback. This is used to prevent CSRF attacks. \\
\\
__Scope__:  It defines the permissions or access levels requested by CrushFTP during the authentication process. The scopes determine the type of information (claims) IdP will include in the ID token and what resources the client application can access. (like user profile information, email address, or cloud storage access).\\
\\
__Get Refresh Token__: It is used to access the user's cloud storage through the IdP. It adjusts the __Authorization URL__ by appending the following parameters:\\
{{{
access_type=offline&prompt=consent
}}}\\
\\
• The __access_type=offline__ parameter is used in the Authorization URL in OpenID Connect (OIDC) and OAuth 2.0 flows to request a refresh token from the IdP. A refresh token allows the application to obtain new access tokens without requiring the user to log in again, enabling offline access.\\
__The refresh token enables access to the user's cloud storage through the IdP. __CrushFTP supports cloud storage integration with services such as Google Drive ([GDriveSetup]), OneDrive ([OneDriveSetup]), SharePoint ([SharePoint Integration]), and Dropbox ([Dropbox Integration]).\\
\\
When integrating cloud storage, ensure the __"Scope"__ parameter includes the __necessary permissions for accessing the user's cloud storage__. Add the following scopes for the respective services:\\
{{{
Google: https://www.googleapis.com/auth/drive
Dropbox: files.metadata.write files.content.write files.content.read
}}}\\
\\
__Microsoft__ does not require additional scopes for this purpose. Ensure that the __App Registration__ includes the __"Files.ReadWrite.All"__ permission, configured as either Delegated or Application. More info at [SharePoint Integration].\\
\\
At "__Custom VFS__" settings you can reference the gained __refresh token__ as variable:
{{{
{oidc_refresh_token}
}}}
\\
• The __prompt=consent__ parameter is used in the authorization URL to explicitly request the user's consent during the authentication process. This parameter __ensures that the Identity Provider (IdP) displays a consent screen__, even if the user has previously authorized the application.\\
\\
__Verify ID Token:__ The Authorization Code Flow uses the code value returned by the IdP to obtain the ID token. Although this step is not mandatory in the OpenID protocol, you can enable an additional verification of the returned ID token by selecting this checkbox. __!!!__ This feature works only if the OpenID configuration includes the "__jwks_uri__" endpoint. __It provides an extra layer of validation for the ID token.__\\

\\