Install Nodinite v7 - OpenID Connect (OIDC) and OAuth 2.0
This authentication method is recommended for cloud-based deployments or when you want to integrate with external identity providers. It supports modern authentication protocols and provides enhanced security features.
For details on registering Nodinite applications in Azure AD (Entra ID) and configuring permissions, see the Register Nodinite Applications in Azure AD (Entra ID) with OpenID guide.
Example of the Authentication tab with OAuth 2.0 / OIDC selected.
If you select OAuth 2.0 / OIDC, you must provide the following settings:
OAuth General settings
In the General settings section, you must provide the following information:
| Mandatory | Variable | Default | Description |
|---|---|---|---|
| Authentication Method | OAuth |
Select OAuth to use OpenID configuration |
|
| Discovery URL (.well-known) | https://idp/.../.well-known/openid-configuration |
The URL of the OpenID Connect discovery document provided by your identity provider. This document contains metadata about the identity provider, including endpoints, supported scopes, and other configuration details. For Entra ID, use https://login.microsoftonline.com/%YOURGUID%/v2.0/.well-known/openid-configuration |
|
| Default Services Account Name | <DefaultServiceAccountName> |
Enter Default Services Account Name. You can override these in the 'Advanced' tab | |
| Installation Client ID | Enter the Application (client) ID for your installation/daemon client. For Azure AD (Entra ID): This is the client ID from your NodiniteInstallationClient app registration. See Register Azure AD Apps for detailed setup. | ||
| Installation Client Scopes | Enter one or more scopes to define the permissions granted to the installation client. Press Enter after each scope. For Azure AD (Entra ID): Use format api://<webApi-client-id>/.default. See Register Azure AD Apps for complete configuration guidance. |
||
| Installation Client Claims | Specify the claims to include in tokens requested with the installation client credentials. At least one claim is required when using OAuth2 mode. For Azure AD (Entra ID): Use KEY: http://schemas.microsoft.com/ws/2008/06/identity/claims/role, VALUE: AppRole_WebApi_all. See Register Azure AD Apps for app role configuration. |
Tip
Using Azure AD (Entra ID)? See the complete step-by-step guide: Register Nodinite Applications in Azure AD (Entra ID) with OpenID. That guide provides detailed instructions for creating the three required app registrations (webApi, webClient, NodiniteInstallationClient) and capturing all the values needed for these fields.
Example of the OAuth General settings section.
OAuth Web Client settings
In the Web Client settings section, you must provide the following information:
Example of the OAuth Web Client settings section.
| Field Label | Default Value / Example | Description |
|---|---|---|
| Require HTTPS Metadata | Unchecked | When enabled, the application will only accept metadata from the discovery URL if it is served over HTTPS. This ensures that the metadata is transmitted securely and cannot be tampered with during transit. For Azure AD (Entra ID): Leave this unchecked for production—see Register Azure AD Apps for details. |
| Client ID * | nodinite-%ENVIRONMENTNAME%-webclient |
The client identifier registered with your identity provider for the Web Client application. This ID is used to identify the application during the authentication process. For Azure AD (Entra ID): See Register Azure AD Apps section 2.1. |
| Callback Path | /signin-oidc |
The path where the identity provider will redirect users after they have authenticated. This should match the redirect URI registered with your identity provider. |
| Signed-Out Callback Path | /signout-callback-oidc |
The path where the identity provider will redirect users after they have signed out. This should match the post-logout redirect URI registered with your identity provider. |
| Signed-Out Redirect URI * | https://nodinite.local:41000/ |
The URI where users will be redirected after they have signed out. This should be a valid URI that is registered with your identity provider. |
| Access Denied Path | / | The path where users will be redirected if they are denied access to a resource. This can be a custom error page or a specific route in your application. |
| Scopes | openid, profile, email, and offline_access |
The scopes that the application will request from the identity provider. These scopes determine the level of access and information that the application will receive about the authenticated user. The default scopes are openid, profile, email, and offline_access. For Azure AD (Entra ID): You must also add your custom API scope—see Register Azure AD Apps section 1.2 for the format and details. Press Enter after each scope to add it. |
| Nodinite Claims | Specify at least one Nodinite claim to ensure secure access and proper tenant or environment context when using OAuth2 mode. Claims prevent user lockout and define how the application identifies users and environments. For Azure AD (Entra ID): See Register Azure AD Apps section 1.4 for how to configure group claims and find your security group Object ID. |
OAuth Web API settings
In the Web API settings section, you must provide the following information:
- Audiences - A list of valid audiences that the Nodinite Web API will accept. This should include the client IDs of any applications that will be accessing the Web API. Example:
nodinite-%ENVIRONMENTNAME%-webapi.
Example of the OAuth Web API settings section.
OAuth Log API settings
In the Log API settings section, you must provide the following information:
- Audiences - A list of valid audiences that the Nodinite Log API will accept. This should include the client IDs of any applications that will be accessing the Nodinite Log API. Example:
nodinite-%ENVIRONMENTNAME%-logapi.
Example of the OAuth Log API settings section.
OpenID Connect & OAuth2 Integration – Diagrams and Configuration
Below are diagrams to help administrators of the Identity Provider (IDP) understand how Nodinite interacts with OpenID Connect and OAuth2, and what is required for proper configuration in the Nodinite Portal.
1. Authentication Flow Overview
This diagram shows the basic OpenID Connect authentication flow between the user, Nodinite Web Client, and the Identity Provider. The IDP must be configured to recognize Nodinite as a client and provide the necessary claims and scopes.
2. Required IDP Configuration for Nodinite
Administrators must register Nodinite applications in the IDP, configure redirect URIs, assign required scopes (e.g., openid, profile, email, offline_access), and ensure claims (such as tenant/environment context) are provided. Client secrets or certificates may be required for secure communication.
3. Claims and Scopes Mapping
The IDP must provide the requested scopes and claims to Nodinite. These are mapped in the Nodinite portal fields for each client (Web Client, Web API, Log API).
Next Step
Install Nodinite v7
Updating Nodinite v7
Managing the Web API - Learn how to call the Web API with OAuth 2.0 authentication
Register Nodinite Applications in Azure AD (Entra ID) with OpenID
Related Topics
Uninstall Nodinite v7
Managing the Web API - Code samples for PowerShell, C#, Java, and Node.js with OAuth 2.0