Setup Arc XP Identity as an OIDC client

For a publisher that already has an identity provider (IdP) to which its customers are already used to signing in, Arc XP Identity provides a feature that these customers to sign into Arc XP using the OIDC protocol. OIDC is an extension to the OAuth protocol which enables the IdP to tell the client (here Arc XP Identity) about who the user is in addition to the authorizations granted by OAuth. While the OIDC/OAuth protocol specifies multiple grant types, Arc XP has elected to focus on the authorization code with PKCE type. The following table lists the capabilities and limitations of Arc XP’s OIDC client implementation.

Features of Arc XP’s OIDC Implementation

Feature	Notes	Configurable
OIDC/OAuth type	Authorization code with PKCE(required)
PKCE	S256	No
Scopes	Arc XP will request the standard openid, email and profile scopes from your IdP	No
Attributes consumed	The first time a user signs in using the IdP, Arc XP will copy the following named user profile attributes from the IdP into the user’s account in Arc XP’s database: email, given_name and family_name. These attributes will not be kept in synch between the IdP and Arc XP.	No
Signature verification	During the token exchange phase, of the OIDC protocol, Arc XP expects to receive a signed ID token (JWT) from the IdP. If both JWKS and RSA (public) token are configured, Arc XP will use JWKS.	JWKS or RSA (RS256)
JWKS	Arc XP recommends that your IdP make available for download the (public) key that was used for signing the ID token. Arc XP supports tokens signed with RSA, and will re-retrieve signature keys automatically as they are rotated.	Yes
RSA Public key	For the case where your IdP does not make available a JWKS download link, Arc XP will accept a public RSA key in your OIDC client configuration. This must be configured using a PEM string with the header, footer and newlines removed.	Yes
Token Exchange security	During token exchange Arc XP will both insert the credentials in the HTTP Authorization header and the HTTP form. No other forms of security during token exchange are supported.	No

Configuring an OIDC Client Connection

While configuring an OIDC client connection, you are expected to provide values for the following parameters:

Parameter	Notes
Name	A name that will be used to identify the IdP
Client ID	The client ID assigned by the IdP
Secret	The client secret assigned by the IdP
Public key	A PEM encoded RS256 public key. If a JWKS url is configured then this value will be ignored.
JWKS endpoint	A publicly available URL from which Arc XP’s servers can retrieve signature keys. If this is not configured then Arc XP expects a public key to be configured instead.
Redirect URI	A valid URL which the IdP will redirect the user’s browser to after successfully signing in.
Authorization endpoint	A valid URL hosted by the IdP where the user can sign in.
Token endpoint	A valid URL hosted by the IdP which Arc XP will call during the token exchange phase.

Integration Methods

If you are using Arc XP’s theme blocks for rendering your sign-in pages then please refer to this article for more details about signing in with your IdP.

If you are implementing your own sign-in pages then use the table below to find more information about the OIDC client APIs available for you to use from Arc XP’s Identity offering.

API	Notes
Initiate sign-in session	This API takes the client ID (as configured with both Arc XP and your IdP) as an input and returns a redirect URL that will take your user to your IdP to sign in. This URL complies with the OIDC specs, however after calling the API you are in charge of redirecting the browser and you are free to make changes to the URL before redirecting.
Finish sign-in session	This API takes the token issued by your IdP as an input and interacts (server to server) with the IdP to retrieve information about the user. If successful then the API will return the Arc XP access and refresh tokens and the user is now signed into his/her Arc XP account. See this article for more details about Arc XP’s tokens. Please note that you should not use this API directly as the OIDC/OAuth return URL from your IdP. Rather you should host a page, with script on it, to receive the redirect from the IdP, extract the token issued by the IdP and then call the API to receive Arc XP’s tokens.

API

Notes

Initiate sign-in session

This API takes the client ID (as configured with both Arc XP and your IdP) as an input and returns a redirect URL that will take your user to your IdP to sign in. This URL complies with the OIDC specs, however after calling the API you are in charge of redirecting the browser and you are free to make changes to the URL before redirecting.

Finish sign-in session

This API takes the token issued by your IdP as an input and interacts (server to server) with the IdP to retrieve information about the user. If successful then the API will return the Arc XP access and refresh tokens and the user is now signed into his/her Arc XP account. See this article for more details about Arc XP’s tokens.

Please note that you should not use this API directly as the OIDC/OAuth return URL from your IdP. Rather you should host a page, with script on it, to receive the redirect from the IdP, extract the token issued by the IdP and then call the API to receive Arc XP’s tokens.