OpenID Connect is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation.

New in Tiki23. The library used is https://packagist.org/packages/steverhoades/oauth2-openid-connect-client

To enable OpenID Connect


Select Tiki and OpenID Connect from tiki-admin.php?page=login -> General preferences -> Authentication method.

Visit the OpenID Connect tab and fill the preferences page.

Tiki uses OpenID Connect with Authorization Code, after a successful login, the user is redirected to Tiki Login page, and a code is passed as query argument. Tiki will contact the OpenID auth endpoint to exchange the code for the Access Tokens.

The redirect URL should point to tiki-login.php.

OKTA OpenID Connect (example)


To use OKTA services you need to create an account at https://www.okta.com. Okta offer trial accountant once your email validated you will be redirected to your Okta Dashboard.

<SERVER_DOMAIN>: https://my.okta.com

pref value
Issuer URL<SERVER_DOMAIN>/oauth2/default
Provider URL Authorization<SERVER_DOMAIN>/oauth2/default/v1/authorize
Provider URL user access token<SERVER_DOMAIN>/oauth2/default/v1/token
JKWS URL<SERVER_DOMAIN>/oauth2/default/v1/keys

Keycloak OpenID Connect (example)


<SERVER_DOMAIN>: https://my.server.com
Realm: master

pref value
Issuer URL<SERVER_DOMAIN>/auth/realms/master
Provider URL Authorization<SERVER_DOMAIN>/auth/realms/master/protocol/openid-connect/auth
Provider URL user access token<SERVER_DOMAIN>/auth/realms/master/protocol/openid-connect/token
JKWS URL<SERVER_DOMAIN>/auth/realms/master/protocol/openid-connect/certs


Client ID and Client Secret are provided by the service.

How user is linked


After a successful login and access token retrieved, Tiki will use the user email to match against the existing users.

How user is created


If no user is matched and the preference "Create user if not registered in Tiki" is enabled, Tiki will use the prefered_username or the name, returned in the access_token, to create a new user and login the user right after.

If the username or name, are already in use, Tiki will return an error.


Alias: OIDC