OpenID Connect Single Sign-On (SSO) Configuration
You can implement OpenID Connect for SSO purposes to support embedded widgets integrated using custom elements. To implement SSO with OpenID Connect, the utility website acts as the Relying Party (RP) and must have an integrated authentication server that conforms to the OpenID Connect specification. This documentation refers to these authentication servers as OpenID Providers.
Note: Standalone Oracle Utilities products rely on SAML for SSO implementation. A utility must use OpenID Connect to implement SSO for embedded widgets. Refer to the Oracle Utilities Opower Digital Self Service - Energy Management Embeddable Widgets Integration Guide for information on embedding widgets using custom elements.
On this page:
Utility Configuration Checklist
SSO relies on standards-based communication between an OpenID Provider authentication server managed by the utility and the server managed by Oracle Utilities. The following steps are required to set up and configure SSO for OpenID Connect.
Note: Oracle Utilities supports configuration with multiple authorization servers. In this scenario, the following configuration checklist must be completed for each authorization server.
- Set up two OpenID Providers, one stage server and one production server.
- Implement customer Access Tokens which must be passed in through an Opower API for webpages that embed widgets. For information on the separate embedding process, see the Oracle Utilities Opower Digital Self Service - Energy Management Embeddable Widgets Integration Guide.
- Complete the steps for Creating a UserInfo Endpoint with Custom Claims.
- Provide the UserInfo Endpoint URI, the applicable public key URI, and an optional subscription key to the Oracle Utilities Delivery Team. The public key URI is made available by the OpenID Provider, commonly through the use of a discovery endpoint. Confirm this URI with the OpenID Provider if required. Refer to Access Tokens for information on UserInfo Endpoint URI requirements based on your setup.
- Enable VPN access and test login accounts for the Oracle Utilities Delivery Team to your stage environment. This access is used to complete required testing and troubleshooting. If your test site is behind a firewall, ensure that you add the Oracle Utilities IP address to your allowlist. Contact your Delivery Team to retrieve the Oracle Utilities IP address value.
Access Tokens
Your web portal system must be able to supply an access token of the currently logged in user to Oracle Utilities embedded widgets. Oracle Utilities does not support refreshed access tokens that have expired. Your web portal system must support subsequent access token requests to retrieve a new access token when the previous access token has expired (see Authenticated Connection Storage).
JSON Web Token Access Tokens
Oracle Utilities recommends supporting access tokens as JSON Web Token (JWT), which conform to the JWT standard, as it allows for additional security validations as compared to opaque access tokens.
You must define the following JWT registered payload claims:
aud
: The list of Audiences, which are authorized to call an Oracle Utilities Opower API endpoint. Audiences are defined by the OpenID Provider. Confirm the audience values with the OpenID Provider and provide the values to the Oracle Utilities Delivery Team.iat
andexp
: These two claims define the access token expiration timeout. Theiat
claim defines the time the access token was issued, and theexp
claim defines when the access token should expire. Be aware that Oracle Utilities enforces a maximum access token expiration timeout of 24 hours. If the difference betweeniat
andexp
claims in the token exceeds 24 hours, the 24 hour maximum fromiat
time is enforced.
Warning: Failure to provide valid aud
, exp
, or iat
claims results in an authentication error.
Opaque Access Tokens
Oracle Utilities supports the use of opaque access tokens but discourages their use as they do not benefit from the security advantages of JWT access tokens.
Opaque access tokens do not provide a uniform method to describe access token expiration. Therefore, Oracle Utilities allows for the configuration of a token expiration. If no expiration is specified, Oracle Utilities enforces a default expiration of 15 minutes.
Creating a UserInfo Endpoint with Custom Claims
You must create a UserInfo API endpoint, which is used by Oracle Utilities to retrieve additional user information. After validating a JWT access token (see Access Tokens), Oracle Utilities sends an HTTPS GET
request with the Authorization: Bearer OP_issued_access_token
header to the URI that you have provided. Oracle Utilities calls this endpoint to:
- Retrieve a list of all utility accounts associated with a web user.
If the web user has multiple premises and you intend to support account switching in your web portal, the UserInfo endpoint must respond with all valid accounts for the web user. For additional information on account switching, see the Oracle Utilities Opower Digital Self Service - Energy Management Embeddable Widgets Integration Guide. - Retrieve a unique user identifier using the registered token claim
sub
. This endpoint must conform to the OpenID Connect specification about UserInfo Endpoints and support custom claims.
Note: While the OpenID Connect standards require a POST method, Oracle Utilities does not require a POST method to support the OpenID Connect workflow. Therefore its definition is out of scope of this documentation.
Be aware that this secure GET
request is a service-to-service request which uses the access token in the header section. No data or information is sent as part of the GET
query parameters through the requested URL. The GET
request must use HTTPS and thus SSL verification is also required for the UserInfo Endpoint.
Note: In addition to the security provided by the access token, you can also request a subscription key to be provided as part of the GET
request. The subscription key must be retrieved from your OpenID Provider and then must be sent to your Oracle Utilities Delivery Team using the methods described in Contacting Your Delivery Team.
A sample UserInfo GET
Endpoint is provided below, along with a table of possible responses.
GET /userinfo
Authorization: Bearer OP_issued_access_token
Status Code | Response | Comments |
---|---|---|
200 | {
|
|
401 | {
|
The bearer token has expired. |
JSON Schemas
The example JSON schema specifies the structure and elements that Oracle Utilities expects in the JSON for the /userinfo endpoint, which is required in support of OpenID Connect implementation of SSO for embedded widgets. For more information on the /userinfo endpoint, see Creating a UserInfo Endpoint with Custom Claims.
{ "definitions": {}, "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://example.com/root.json", "type": "object", "title": "The Root Schema", "required": [ "sub", "user_accounts" ], "properties": { "sub": { "$id": "#/properties/sub", "type": "string", "title": "Unique identifier of currently logged in user", "default": "", "pattern": "^(.+)$" }, "user_accounts": { "$id": "#/properties/user_accounts", "type": "array", "title": "The user_accounts Schema", "items": { "$id": "#/properties/user_accounts/items", "type": "object", "title": "The Items Schema", "minProperties": 1, "required": [ "id" ], "properties": { "id": { "$id": "#/properties/user_accounts/items/properties/id", "type": "string", "title": "account id", "pattern": "^(.+)$" }, "display_name": { "$id": "#/properties/user_accounts/items/properties/display_name", "type": "string", "title": "The display_name Schema", "default": "" } } } } } }
Authenticated Connection Storage
Oracle Utilities stores access tokens and user information after user validation. Any subsequent calls to Oracle Utilities services while the access token is still valid re-use the stored information. After expiration, Oracle Utilities requires a new token to initiate another authenticated connection. For information on supplying access tokens, see the Oracle Utilities Opower Digital Self Service - Energy Management Embeddable Widgets Integration Guide.
OpenID Connect Workflow
The following diagram describes the overall workflow that is completed to support OpenID Connect authentication. This includes a user's initial log in to the utility portal through the final display of a widget. A step-by-step description of the workflow is provided along with the diagram.
Note: The workflow described below assumes the use of JWT access tokens (see JSON Web Token Access Tokens). Access token validation steps are not applied by Oracle Utilities if opaque access tokens are used, and any opaque access token validation is the responsibility of the utility.
When a user accesses embedded widget content and an active user session is not available, the authentication process using OpenID Connect is started. This process involves the user, the utility portal hosting the embedded widget, the utility OpenID Provider, the embedded widget, and Oracle Utilities services and data.
- The process begins with a user accessing a utility portal page with an embedded widget. A user access token is required for Oracle Utilities to authenticate the user and display an embedded widget. A user access token can be obtained by following the example steps below for OpenID Connect, or using other means:
- The utility portal redirects the user to a login page hosted by the utility OpenID Provider to begin the authorization process.
- The utility OpenID Provider redirects the authenticated user to the utility portal with an authorization code.
- The utility portal requests an OpenID Connect token from the utility OpenID Provider by providing a clientID and client secret and an authorization code.
- The utility OpenID Provider returns an access token to the utility portal. This completes the user's log in to the utility portal.
- After a valid access token is retrieved by the utility portal, the utility portal makes a request to load the embedded widget for the user.
- An embedded widget emits browser window event
opower:unauthorized
. - The utility portal must respond to this event with a user access token. For more information on these requirements, see Access Tokens.
- The embedded widget provides the user access token to Oracle Utilities using an API call.
- Oracle Utilities starts user access token validation for JWT access tokens, which first requests the applicable public keys from the utility OpenID Provider.
- The utility OpenID Provider public key URI provides the public key information to Oracle Utilities.
- Oracle Utilities validates the signature of the user JWT access token with the information provided by the utility.
- Oracle Utilities requests user information from the UserInfo endpoint that is provided by the utility.
- The utility portal provides the requested user information through a UserInfo Endpoint. For more information on these requirements, see Creating a UserInfo Endpoint with Custom Claims. Be aware that the user information request uses a timeout of 10 seconds.
- Oracle Utilities retrieves the applicable user data.
- Oracle Utilities provides the user data to the embedded widget.
- The embedded widget updates on the utility portal to reflect and display applicable user data.