> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# OpenID Connect Action
> The OpenID Connect (OIDC) action restricts access to only authorized users by enforcing OIDC through an identity provider of your choice.
export const ConfigChildren = ({children}) => {
return
{children}
;
};
export const ConfigField = ({title, type, cel = false, defaultValue = false, required = false, children}) => {
const id = `config-${title.replace(/\.|\s|\*/g, "_")}`;
return
{title}
{type &&
{type}
}
{defaultValue &&
default:
{defaultValue}
}
{required &&
Required
}
{cel &&
Supports CEL
}
{children}
;
};
The **OpenID Connect** Traffic Policy action restricts access to only authorized users
by enforcing **OIDC** through an identity provider of your choice.
## Configuration reference
The [Traffic Policy](/traffic-policy/) configuration reference for this action.
### Supported phases
`on_http_request`
### Type
`openid-connect`
### Configuration fields
The base URL of the Open ID provider that serves an OpenID Provider
Configuration Document at `/.well-known/openid-configuration`.
Unique authentication identifier for this provider.
Used to scope the session cookie and to target this provider in login and logout paths.
See [Special paths](#special-paths).
Your OpenID Connect app's client ID.
Your OpenID Connect app's client secret.
A list of additional scopes to request when users authenticate with the
identity provider.
A map of additional URL parameters to apply to the authorization endpoint
URL.
Defines the maximum lifetime of a session regardless of activity.
Defines the period of inactivity after which a user's session is
automatically ended, requiring re-authentication.
How often should ngrok refresh data about the authenticated user from the
identity provider.
Allow CORS preflight requests to bypass authentication checks. Enable if
the endpoint needs to be accessible via CORS.
Sets the allowed domain for the auth cookie.
### Special paths
#### Logging users in
To start an OIDC authentication flow explicitly—for example, from a "Log in" button or link—redirect users to `/ngrok/login`.
After a successful authentication, ngrok redirects the user to `/`.
If you've configured `auth_id` to identify this provider, include it in the URL:
```
/ngrok/login?auth_id=my-provider
```
If the IdP supports it, ngrok instructs it to force re-authentication—users must re-enter their credentials even if they already have an active IdP session.
#### Logging users out
To end a user's session—for example, from a "Log out" button or link—redirect users to `/ngrok/logout`.
This clears the ngrok session cookie.
If you've configured `auth_id`, include it in the URL to target the correct provider:
```
/ngrok/logout?auth_id=my-provider
```
When using the Google OAuth 2.0/OIDC provider in Chrome with a [managed profile](https://support.google.com/chrome/a/answer/188446), `/ngrok/logout` only clears the ngrok session cookie; it does not end the Google/IdP session maintained by the browser.
Users may be silently re-authenticated on the next request.
To fully sign out, sign out of Chrome or Google (or use a non-managed profile or Incognito) in addition to calling `/ngrok/logout`.
### Events
When this module is enabled, it populates the following fields in the
[http\_request\_complete.v0](/obs/events/reference/#http-request-complete) event:
* `oauth.app_client_id`
* `oauth.decision`
* `oauth.user.id`
* `oauth.user.name`
### Supported providers
ngrok currently supports the following OAuth providers (see the Integration Guides for more details). In some instances, ngrok has a
[managed application](/traffic-policy/actions/oauth/#managed-applications) that allows you to configure OAuth without setting up your own application in your provider. This is useful for testing and
development, but when you move into production, use your own custom application in your specific provider.
| Provider | Provider Identifier | Managed App Available | Integration Guide |
| --------- | ------------------- | --------------------- | ---------------------------------------------------- |
| Amazon | `amazon` | no | [Documentation](/integrations/oauth/oauth/) |
| Facebook | `facebook` | no | [Documentation](/integrations/oauth/facebook-oauth) |
| GitHub | `github` | yes | [Documentation](/integrations/oauth/github-oauth) |
| GitLab | `gitlab` | yes | [Documentation](/integrations/oauth/gitlab-oauth) |
| Google | `google` | yes | [Documentation](/integrations/oauth/google-oauth) |
| LinkedIn | `linkedin` | yes | [Documentation](/integrations/oauth/linkedin-oauth) |
| Microsoft | `microsoft` | yes | [Documentation](/integrations/oauth/microsoft-oauth) |
| Twitch | `twitch` | yes | [Documentation](/integrations/oauth/twitch-oauth) |
## Try it out
Consult the list of [supported providers](#supported-providers) for
step-by-step integration guides.
## Behavior
### Callback URL
When you create your own OIDC app, you must specify a 'Callback URL' or
'Redirect URL' to the OIDC provider. When using ngrok's OIDC action, that
Callback URL is always:
```
https://idp.ngrok.com/oauth2/callback
```
### Authentication
When an unauthenticated request is made to an OIDC-protected endpoint, it
returns a redirect response that begins an authentication flow with the
configured identity provider. The original URI path is saved so that users can
be redirected to it if they successfully authenticate.
**If the user fails to authenticate with the identity provider**, ngrok will
display an error describing the failure returned by the identity provider and
prompt them to try logging in again.
**If the user successfully authenticates with the identity provider**, ngrok
will take the following actions:
* Check any authorization constraints you've defined (like allowed
emails or allowed email domains). If the user is not authorized, ngrok renders
an error and prompts them to try logging in again.
* Sets a [session cookie](#cookies) to avoid repeating the authentication flow again.
* Redirects the user to the original URI path they were attempting to access
before the authentication flow began. If no such URI path was captured, they
are redirected to `/`.
### Continuous authorization
When an authenticated user makes a request, ngrok will sometimes refresh a
user's data from the identity provider (email, name, etc) and re-evaluate
authorization constraints. This refresh is executed as a back channel request to
the identity provider; it is transparent to the user and they do not go through
a re-authentication flow.
The following circumstances trigger refresh and authorization re-evaluation:
* On a periodic interval defined by the [`userinfo_refresh_interval`](/traffic-policy/actions/oidc/#configuration-fields) parameter.
* If you update the OIDC configuration of the endpoint by restarting your
agent with a new configuration.
* If you update the OIDC configuration of the endpoint.
If a previously authenticated user becomes unauthorized because their identity
provider information changed or because the OIDC action configuration changed,
they are presented an error and are prompted to try logging in again.
### Traffic Identities
ngrok's [Traffic Identities](/traffic-policy/identities/) feature can be used to observe
all of the authenticated user activity across your account in the ngrok
dashboard or via API. Whenever a user authenticates or accesses an endpoint
with a configured OIDC action, their Traffic Identity record is created or updated.
You may also use Traffic Identities to remotely log a user out by [revoking a
session](/traffic-policy/identities/#revoke-sessions).
### Cookies
This action sets two cookies in its operation. Cookies values are opaque to the
upstream service and must not be modified.
| Cookie | Description |
| --------- | --------------------------------------- |
| `session` | Used to track an authenticated user. |
| `nonce` | Used to secure the authentication flow. |
### Non-terminating action
This is a **Non-terminating action**. It does not return a response, and will allow Traffic Policy processing to continue to the next Action in the chain. All **Cloud Endpoint** Traffic Policies must end with a terminating action. This requirement does not apply to **Agent Endpoints**.
## Examples
### Using a managed provider
The following [Traffic Policy](/traffic-policy/)
configuration will provide your app with an authentication step.
```yaml policy.yml theme={null}
on_http_request:
- actions:
- type: openid-connect
config:
issuer_url: '{your issuer url}'
client_id: '{your app''s oauth client id}'
client_secret: '{your app''s oauth client secret}'
scopes:
- openid
- profile
- email
```
```json policy.json theme={null}
{
"on_http_request": [
{
"actions": [
{
"type": "openid-connect",
"config": {
"issuer_url": "{your issuer url}",
"client_id": "{your app's oauth client id}",
"client_secret": "{your app's oauth client secret}",
"scopes": [
"openid",
"profile",
"email"
]
}
}
]
}
]
}
```
## Action result variables
The following variables are made available for use in subsequent expressions and
CEL interpolations after the action has run. Variable values will only apply
to the last action execution, results are not concatenated.
Code for an error that occurred during the invocation of an action.
Message for an error that occurred during the invocation of an action.
Unique identifier for the ngrok Identity entity
Email address of the authorized user from the provider.
Name for the authorized user from the provider.
Identifier for the authorized user from the provider.
The current Identity session identifier for this request.
The identity token from the provider for the current user.
The access token from the provider.
The refresh token from the provider.
Timestamp when the current session will expire.
Returns true when the session timed out.
Returns true when the current session reached the max duration.
Returns true when ngrok updates the user information on the identity.