\\
The plugin supports __OpenID Connect__ ([https://en.wikipedia.org/wiki/OpenID]), an authentication protocol built on top of the OAuth 2.0 ([https://en.wikipedia.org/wiki/OAuth]) authorization framework.\\
\\
__Constraints__: It only works through __HTTP__ or __HTTPS__ protocol. __Authorization Code Flow__ is supported (Implicit Flow or Hybrid Flow are not supported). It requires __Enterprise License__.\\
\\
!!!1. Identity Provider's(IdP) general configuration\\
The plugin requires the following Identity Provider (IdP) information and configuration:\\
• Client ID\\
• Client Secret: Authorization Code Flow requires it.\\
• Redirect URL: The redirect URL is the endpoint in your IdP application where the IdP directs the user after successful authentication. This URL receives the authorization code or access token as part of the authentication process. The redirect URL must target the CrushFTP server and conclude with __/SSO_OIDC/__. Like:\\
{{{
https://yourCrushFTP.domain.com/SSO_OIDC/
}}}\\
\\
Google: [https://support.google.com/googleapi/answer/6158849]\\
\\
!!!2. Plugin Configuration\\
\\
!2.1 IdP related settings\\
\\
[attachments|CrushOIDC/oidc_idp_related_plugin_settings.png]\\
\\
__2.1.1 OpenID Configuration URL:__ \\
\\
__Dynamic endpoint:__\\
\\
This HTTP URL is part of the OpenID Connect (OIDC) Discovery mechanism. It follows a standard called __RFC 5785__ ([https://datatracker.ietf.org/doc/html/rfc5785]), which defines the use of __.well-known__ URIs for discovering metadata about services. It queries this HTTP endpoint to configure itself dynamically, avoiding hard-coded values. The retrieved JSON document includes important endpoints and details like:\\
•	Authorization endpoint\\
•	Token endpoint\\
•	User info endpoint\\
•	Supported scopes and claims\\
•	Public keys for verifying tokens\\
\\
List of __.well-known__ URLs for various identity providers and services that support OpenID Connect (OIDC):\\
{{{
Google:              https://accounts.google.com/.well-known/openid-configuration
Microsoft Azure AD:  https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration
Microsoft Azure B2C: https://{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration
Amazon (Cognito):    https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration
Okta:                https://{yourOktaDomain}/.well-known/openid-configuration
Auth0:               https://{yourDomain}.auth0.com/.well-known/openid-configuration
Dropbox:             https://www.dropbox.com/.well-known/openid-configuration
}}}\\
\\
__Local endpoint:__\\
\\
You can reference a __local JSON file__ if the identity provider (IdP) does not support OpenID Connect but does support __OAuth 2.0__ (e.g., Box cloud storage). Instead of specifying an HTTP URL, provide the path to a local file, such as:\\
{{{
./box_open_id_config.json
}}}\\
\\
The JSON file should include the __authorization endpoint__. Example for Box cloud storage:
{{{
{
	"authorization_endpoint":"https://account.box.com/api/oauth2/authorize",
	"token_endpoint":"https://api.box.com/oauth2/token"
}
}}}
\\
__2.1.2 App registration related informations:__\\
\\
__Client ID__: Provide the Client ID (the unique identifier) of your IdP.\\
__Client Secret__: Provide the Client Secret of your IdP.\\
\\