tencent cloud


Overview of OIDC Role-Based Single Sign-On

Last updated: 2024-01-23 17:48:51
    OIDC is an authentication protocol built on OAuth 2.0. Tencent Cloud CAM supports OIDC role-based SSO.

    Basic Concepts

    OIDC is an authentication protocol built on OAuth 2.0. While OAuth is an authorization protocol, OIDC constructs an identity layer on top of it. In addition to the authorization capabilities provided by OAuth, OIDC also allows clients to verify the identity of end users and obtain their basic information through the API of the OIDC protocol (in the form of HTTP RESTful).
    OIDC Token
    OIDC can issue identity tokens on behalf of logged-in users to applications, known as OIDC tokens.
    OIDC tokens are used to retrieve the basic information of the logged-in user.
    Temporary ID Credential
    Security Token Service (STS) is a temporary access permission management service provided by Tencent Cloud. It allows for the acquisition of temporary identity credentials (STS Token) with customized validity and access permissions.
    Issuer URL
    The Issuer URL, provided by the external IdP, corresponds to the 'iss' field value of the OIDC Token.
    The Issuer URL must start with https, conform to the standard URL format. But it should not contain query parameters (indicated by ?), fragment sections (indicated by #), or login information (indicated by @).
    Client ID
    When your application is registered with an external IdP, a Client ID is generated.
    When you apply for an OIDC token issued from an external IdP, you must use this client ID. The issued OIDC token will also carry this client ID in the 'aud' field.
    During the creation of an OIDC idP, this client ID is configured. Then, when using the OIDC token to exchange for an STS Token, Tencent Cloud verifies whether the client ID carried in the 'aud' field of the OIDC token matches that configured in the OIDC IdP. Role assumption is only permitted when they are consistent.


    When enterprise applications need to frequently access Tencent Cloud, using a fixed access key (AccessKey) can pose a security risk if there is no adequate security measures in place and the AccessKey is leaked. To address this issue, some enterprises register their applications with their own or third-party IdP that support OIDC (such as Google G Suite or Okta), to generate OIDC tokens for the applications using the capabilities of the OIDC IdP. In this scenario, with the role-based SSO capability provided by Tencent Cloud CAM, enterprise applications can exchange their OIDC tokens for Tencent Cloud temporary identity credentials (STS Token), thereby securely accessing Tencent Cloud resources.
    Moreover, some individual developers or small and medium-sized enterprises allow their employees to log in to Tencent Cloud using their identities registered on certain websites (such as social networking sites). If these websites support the generation of OIDC tokens, Tencent Cloud CAM can be used to accomplish SSO based on OIDC.

    Fundamental Procedure

    1. Register an application in an external IdP to obtain the application's Client ID.
    2. In Tencent Cloud CAM, create an OIDC IdP to establish a trust relationship between Tencent Cloud and the external IdP. For specific operations, please refer to Creating an OIDC Identity Provider.
    3. In Tencent Cloud CAM, create the OIDC IdP's CAM role and authorize it. For specific operations, please refer to Creating Role.
    4. Issue an OIDC token in the external IdP.
    5. Use the OIDC Token to exchange for an STS Token. For specific operations, please refer to AssumeRoleWithWebIdentity.
    6. Access Tencent Cloud resources using the STS Token.

    Parameter Configuration Sample Code

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support