OIDC Federation
QNSP supports OpenID Connect for federated authentication.
OIDC Federation
QNSP supports OpenID Connect for federated authentication.
Configuration
Register an OIDC federation provider:
{
"id": "google-oidc",
"provider": "oidc",
"name": "Google Workspace",
"enabled": true,
"metadata": {
"issuer": "https://accounts.google.com",
"authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"tokenEndpoint": "https://oauth2.googleapis.com/token",
"userInfoEndpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"clientId": "...",
"clientSecret": "...",
"scopes": ["openid", "email", "profile"]
}
}
Flow
- Your client completes an authorization code flow with the IdP.
- Exchange the authorization code via QNSP:
POST /auth/federation/oidc/callback { "providerId": "google-oidc", "code": "<authorization_code>", "state": "<optional_state>" } - QNSP exchanges the code for IdP tokens, fetches user info, and issues QNSP access/refresh tokens.
Claim mapping
Map IdP claims to QNSP attributes:
| IdP Claim | QNSP Attribute |
|---|---|
sub |
External ID |
email |
|
name |
Display name |
groups |
Roles (if configured) |
Supported providers
- Google Workspace
- Microsoft Entra ID
- Okta
- Auth0
- Any OIDC-compliant provider
JIT provisioning
Users are created on first login if JIT provisioning is enabled.