Federation · generic-oidc
Generic OIDC IdP as a Hub federation member
Catch-all template for federating Hub to any OIDC-conformant IdP — public-cloud providers, regional IdPs, internal identity stacks.
- oidc
- idp
- generic
Tested against:hub: 1.0.0oidc: core-1.0
What this enables
Any OIDC-conformant IdP federates with Hub. Use this as the starting point if your customer's IdP isn't in the per-vendor recipes.
Prereqs
- IdP issuer URL (e.g.
https://idp.customer.example) - OIDC discovery URL (
<issuer>/.well-known/openid-configuration) - IdP-side admin access to register Hub as an OIDC client
Step 1 — In the IdP
Register an OIDC client:
| Field | Value |
|---|---|
| Application type | Web |
| Redirect URI | https://hub.thoryn.org/login/oauth2/code/<member-id> |
| Grant types | Authorization Code, Refresh Token |
| Default scopes | openid email profile |
Capture the Client ID and Client Secret.
Step 2 — In Thoryn
id: generic-oidc
name: "Customer OIDC IdP"
type: oidc
issuer: https://idp.customer.example
client_id: ${CLIENT_ID}
client_secret: ${CLIENT_SECRET}
discovery_url: https://idp.customer.example/.well-known/openid-configuration
scopes:
- openid
- email
- profile
claim_mappings:
sub: sub
email: email
given_name: given_name
family_name: family_name
groups: groups # if the IdP exposes themStep 3 — Test
Trigger a login. Hub follows the OIDC discovery doc, redirects to the IdP, exchanges the code, and lands the user in your app with the mapped claims.
Troubleshooting
given_name/family_namemissing: many IdPs return onlyname. Use thenameclaim and parse on your side, or setclaim_mappings.given_name: name(less correct but works).- Discovery doc unreachable: paste the OIDC config inline if the IdP doesn't expose
.well-known/openid-configuration.
See also
- Hub — How it works
- generic-saml — if the IdP only speaks SAML