\\
The plugin supports __OpenID Connect__ ([https://en.wikipedia.org/wiki/OpenID]), an authentication protocol built on top of the OAuth 2.0 ([https://en.wikipedia.org/wiki/OAuth]) authorization framework.\\
\\
__Constraints__: It only works through __HTTP__ or __HTTPS__ protocol. __Authorization Code Flow__ is supported (Implicit Flow or Hybrid Flow are not supported). It requires __Enterprise License__.\\
\\
!!!1. IDP general configuration\\
The plugin requires the following Identity Provider (IdP) information and configuration:\\
• Client ID\\
• Client Secret\\
• Redirect URL: The redirect URL is the endpoint in your Identity Provider (IdP) application where the IdP directs the user after successful authentication. This URL receives the authorization code or access token as part of the authentication process. The redirect URL must end with __/SSO_OIDC/__. Like:\\
{{{
https://yourdomain.com/SSO_OIDC/
}}}\\
\\
Google: [https://developers.google.com/identity/openid-connect/openid-connect]\\
\\
!!!2. Plugin Configuration\\
\\
!1.1 Identity Provider related settings\\
\\
[attachments|CrushOIDC/oidc_idp_related_plugin_settings.png]\\
\\
__1.1.1 OpenID Configuration URL:__ \\
\\
Dynamic endpoint:\\
\\
This HTTP URL is part of the OpenID Connect (OIDC) Discovery mechanism. It follows a standard called __RFC 5785__ ([https://datatracker.ietf.org/doc/html/rfc5785]), which defines the use of __.well-known__ URIs for discovering metadata about services. It queries this HTTP endpoint to configure itself dynamically, avoiding hard-coded values. This JSON document includes important endpoints and details like:\\
•	Authorization endpoint\\
•	Token endpoint\\
•	User info endpoint\\
•	Supported scopes and claims\\
•	Public keys for verifying tokens\\
\\
List of __.well-known__ URLs for various identity providers and services that support OpenID Connect (OIDC):\\
{{{
Google:              https://accounts.google.com/.well-known/openid-configuration
Microsoft Azure AD:  https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration
Microsoft Azure B2C: https://{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
Amazon (Cognito):    https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration
Okta:                https://{yourOktaDomain}/.well-known/openid-configuration
Auth0:               https://{yourDomain}.auth0.com/.well-known/openid-configuration
Dropbox:             https://www.dropbox.com/.well-known/openid-configuration
}}}\\
\\
Local endpoint:\\
\\
You can reference a __local JSON file__ if the identity provider (IdP) does not support OpenID Connect but does support __OAuth 2.0__ (e.g., Box cloud storage). Instead of specifying an HTTP URL, provide the path to a local file, such as:\\
{{{
./box_open_id_config.json
}}}\\
\\
The JSON file should include the __authorization endpoint__. Example for Box cloud storage:
{{{
{
	"authorization_endpoint":"https://account.box.com/api/oauth2/authorize",
	"token_endpoint":"https://api.box.com/oauth2/token"
}
}}}
\\