Setting up Connections Mobile to authenticate using OIDC
The Connections mobile apps can use the OAuth 2.0 authorization framework within the Open ID Connect (OIDC) authentication protocol .
This is possible by leveraging the WebSphere Relying Party Trust Association Interceptor (TAI). This strategy allows the Connections mobile apps to use Single Sign On with Identity Providers that also support OIDC.
Any OpenID Connect Provider (OP) that supports OIDC 1.0, supports Authorization Code Grant flow with public clients and supports Proof Key for Code Exchange (PKCE) can be used. This documentation will use the Microsoft Azure identity provider as an example. This article describes the setup needed for the OpenID Connect Provider which provides the secure tokens, as well as the client-side application in WebSphere, known as the Relying Party.
Connections must be able to lookup the user in the Connections databases once the token is verified. In the examples below, the identity claim present in the JWT is the email address of the user at the identity provider, and this must match the same user in the Connections database. If the user has not yet been provisioned within Connections, the login with the OIDC provider may succeed, but access to Connections will fail and the mobile app will not be able to establish a session.