ReachFive as an OpenId Connect Provider

ReachFive is partially implemented as an OpenID Connect Provider (OICP). Although it does not implement fully the protocol, it still contains enough to integrate with other software expecting an OICP (such as Amazon Cognito). What ReachFive does not have, essentially, is a login page. What it does have is:

  • it provides the OAuth2 authorization and token endpoints;
  • it can return a JSON Web Token (JWT);
  • it provides the standard configuration for OpenID Connect Discovery (OICD).

Configuration

Following the OICD specification, the configuration for OpenID Connect is accessible on: http://{YOURREACHFIVEDOMAIN}/.well-known/openid-configuration

It contains all URLs relative to OpenID Connect, as well as technical informations about the endpoints (supported claims, locales, grant types, etc.) One of the URLs in the well-known configuration is the JSON Web Keys document: https://{YOURREACHFIVEDOMAIN}/jwks.json, which contain the RSA public key of your account.

On an application client, you should specify which algorithm to use to sign the JWTs. The default value is to use HS256 (HMAC-SHA26), but RS256 (RSA-SHA256) is also available. Most external tools will accept RS256. For complete information on the algorithms used, see the JSON Web Algorithms registry in RFC 7518.

client jwt algorithm

API

The endpoints are defined in the JSON Web Keys document. The scope to use in order to get an ID token is openid.

See the API documentation for more information.

References