Guides
Start typing to search…

Authentication and OIDC

Authentication in Omnidocs Create

Overview

As an operator, you can configure OpenID Connect (OIDC) authentication for an organization. This allows the organization to authenticate users using another identity provider instead of Entra ID.

Omnidocs Create supports OIDC using the Authorization Code Flow with PKCE. This applies both to standard OAuth 2.0 integrations and to full OIDC configurations.

You configure OIDC per organization.

Supported authentication flows

Omnidocs Create uses the Authorization Code Flow with PKCE for all OIDC and OAuth 2.0 integrations.

You should always use this flow when configuring an identity provider.

This approach prevents token leakage, works securely in browser-based environments and aligns with modern OAuth 2.0 and OIDC best practices.

You can refer to the Keycloak documentation for a detailed explanation of this flow.

Public vs Confidential OIDC clients

When configuring OIDC, you must choose whether the organization uses a Public or Confidential client.

Public clients

You configure a public client when the identity provider does not require a client secret.

Public clients:

  • Are not required to use a client secret
  • Rely on HTTPS and strict redirect URI validation for security
  • Are required for browser-based applications such as SPAs

Confidential clients

You configure a confidential client when the identity provider issues a client secret.

Confidential clients:

  • Require a client secret when exchanging authorization codes for tokens
  • Are typically used in server-to-server or backend-assisted flows
  • Provide an additional layer of security

Choosing the right client type

You should choose public client if authentication happens entirely in the browser.

You should choose confidential client if your identity provider requires a client secret.

Both client types are supported by Omnidocs Create.

Required OIDC configuration details

When you configure OIDC for an organization, you must collect the required information from the customer or identity provider.

Public client configuration

For a public OIDC configuration, you need:

  • OIDC Metadata or Discovery Endpoint
  • Client ID
  • Redirect URI:
    https://[HOST]/auth/callback

You do not provide a client secret for public clients.

Confidential client configuration

For a confidential OIDC configuration, you need:

  • OIDC Metadata or Discovery Endpoint
  • Client ID
  • Client Secret
  • Optional Redirect URI:
    https://[HOST]/auth/callback-web

You should store the client secret securely and treat it as sensitive information.

Microsoft Entra reference

If the organization uses Microsoft Entra, you can refer to the SSO article for Microsoft Entra ID.

Operator responsibilities

As an operator, you are responsible for:

  • Selecting the correct client type for the organization
  • Verifying redirect URIs before enabling authentication
  • Ensuring HTTPS is enforced
  • Validating OIDC configuration with the customer before rollout

Please note that incorrect OIDC configuration can block user access for the entire organization.

Updated about 3 hours ago