Sign inTry Free

OIDC

The authentication flow for OpenID Connect involves the following steps:

  1. The auth client (SingleStore) creates a request and redirects to the server’s authentication endpoint.

  2. The server also creates a request and redirects (or displays) a login page.

  3. When login is complete, the server redirects back to the client providing an authentication code.

  4. The client then makes a direct request (not the browser) to the server to exchange the authentication code for tokens (refresh, access, and ID).

  5. The client stores the tokens and uses the id token to ask for user information (name, email) from the server.

Access ID tokens may have short expiry times. When they expire, the token endpoint will be used to get new tokens using the refresh token.

The id token is always a signed JWT (JSON Web Token) with an expiration time. The access token may be a JWT. The Refresh token is typically not a JWT but it could be one too. The Refresh token should be persisted server-side so that it can be invalidated. The access and refresh tokens may also be persisted server-side for invalidation purposes, but that is generally not required because they generally expire quickly.

The configuration items available from the SingleStore Helios Portal are:

  • Login Initiation URL: This is used for an IdP-initiated login. When using this URL, the SingleStore login screen is bypassed but otherwise, this is a normal authentication flow.

    Login Redirect URLs: This is the URL that the IdP may redirect to when it has verified the login.

  • Logout Redirect URLs: This is where to redirect to after logout to return to a SingleStore login screen.

Most of the configuration comes from the IdP. This includes:

  • Issuer – this is a URL that is used to identify the connection. The discovery endpoint is usually, Issuer + "/.well-known/openid-configuration”. It should be a working URL that provides an OpenID configuration block.

  • Client ID

  • Client Secret

  • PKCE is usually supported and it should be enabled.

  • The set of required scopes for the OIDC client to request. This will always include 'openid' and will usually include 'email', and 'profile'. Other scopes may also be required. The set of supported scopes can be found inside the discovery endpoint. Do not include any scope that is not supported by your IdP.

A global logout setting, if true implies that, when a user logs out of a SingleStore site (portal, etc) it will try to log them out of their IdP as well. In the SingleStore Helios Portal this is specified as Attempt Global Logout.

In this section

Last modified: January 10, 2024

Was this article helpful?

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK