# OpenID Connect authentication

If you're a Control Center administrator, you can use Control Center to add and manage OpenID Connect (OIDC) authentication configurations for an organization. OIDC for Servers is the preferred way to authenticate with the Pismo platform. It provides greater security guarantees in service communications than basic authentication using client credentials. In addition, OpenID Connect supports multi-tenancy, allowing for multiple tenants to run in a single instance of the application while keeping their configurations and data isolated.

> 📘 Dual approval
>
> If your company is using the dual approval feature (beta release), creating, editing, or deactivating an OpenID authentication configuration requires approval. With dual approval, you initiate the change and submit a request for approval. A second person must review and approve it. The change doesn't take effect until the request is approved.
>
> For more information about dual approval, refer to [Dual approval](https://developers.pismo.io/pismo-docs/docs/dual-approval).

# Create OpenID authentication configuration

To add an OpenID authentication configuration to an organization, you must provide a public encryption key for use when authenticating with the Pismo platform. You also must specify one of the following authentication types:

* **Standard**—Gives the organization access to all Pismo endpoints that the customer has access to. It is managed internally by the Pismo platform.
* **Third-party**—Gives access to selected Pismo endpoints, based on OIDC permission groups. This method is typically managed for you by a third-party provider and is not available through the Pismo Call Center.

<Callout icon="📘" theme="info">
  Only standard authentication is available within Control Center. For more information on third-party authentication, refer to [Third-party authentication with OpenID Connect](https://developers.pismo.io/pismo-docs/docs/third-party-authentication-with-openid).
</Callout>

To create an OpenID authentication configuration:

1. From the main menu, select **Users & permissions** > **OpenID**.
2. On the **OpenID** screen, select **Create**.
3. On the **Create new OpenID** screen, select **Standard** as the authentication type (third-party is not currently available within Control Center).
4. Provide the public encryption key. Either paste it onto the **Public key** field or drag a text file into the upload area of the screen, then select **Create**.

For more information about using OIDC with the Pismo platform, see [Authentication with OpenID Connect](https://developers.pismo.io/pismo-docs/docs/authentication-with-openid#server-authentication).

# View and edit OpenID Connect authentication configurations

The following table describes the elements of an OIDC authentication configuration.

<Table align={["left","left","left"]}>
  <thead>
    <tr>
      <th>
        Field
      </th>

      <th>
        Description
      </th>

      <th>
        Example
      </th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>
        Tenant ID
      </td>

      <td>
        Organization ID
      </td>

      <td>
        `tn-123456-A789-42A2-8B0E-2052D05577D7`
      </td>
    </tr>

    <tr>
      <td>
        auth\_type
      </td>

      <td>
        Authentication type
      </td>

      <td>
        `STANDARD` (the `THIRD_PARTY` type is not available in the current release)
      </td>
    </tr>

    <tr>
      <td>
        Status
      </td>

      <td>
        Status of the authentication configuration
      </td>

      <td>
        ACTIVE
      </td>
    </tr>

    <tr>
      <td>
        public\_key
      </td>

      <td>
        Public encryption key used for authentication
      </td>

      <td>
        \----BEGIN CERTIFICATE----\
        MIIEajCCAtKgAwIBAgIQaA1mKgVN/KPB4gLfCWcDUDADCpyb2\
        . . .\
        \----END CERTIFICATE-----
      </td>
    </tr>

    <tr>
      <td>
        created\_at
      </td>

      <td>
        Timestamp when the authentication configuration was created
      </td>

      <td>
        9/13/24 14:58
      </td>
    </tr>

    <tr>
      <td>
        update\_at
      </td>

      <td>
        Timestamp when the authentication configuration was last updated
      </td>

      <td>
        9/13/24 14:58
      </td>
    </tr>

    <tr>
      <td>
        signer\_audience
      </td>

      <td>
        Audience for the signer
      </td>

      <td>
        Can be an ID or a URL
      </td>
    </tr>

    <tr>
      <td>
        signer\_issuer
      </td>

      <td>
        Issuer for the signer
      </td>

      <td>
        Can be an ID or a URL
      </td>
    </tr>

    <tr>
      <td>
        verifier\_audience
      </td>

      <td>
        Audience for the verifier
      </td>

      <td>
        Can be an ID or a URL
      </td>
    </tr>

    <tr>
      <td>
        verifier\_issuer
      </td>

      <td>
        Issuer for the verifier
      </td>

      <td>
        Can be an ID or a URL
      </td>
    </tr>

    <tr>
      <td>
        verifier\_subject
      </td>

      <td>
        Subject for the verifier
      </td>

      <td>
        Can be an ID or a URL
      </td>
    </tr>
  </tbody>
</Table>

> 🚧 Deactivating a configuration
>
> A configuration cannot be deleted, only deactivated. Once deactivated, it cannot be reactivated.

To view and edit OpenID authentication configurations:

> 📘 Admin access required
>
> The following instructions and options are only available to users who are Control Center admins for your organization.

1. From the main menu, select **Users & permissions** > **OpenID**.
2. On the **OpenID** screen, select an OpenID configuration to view its details.
3. (Optional) You can also do one of the following on the **OpenID** screen:
   1. Select the **Active** toggle to deactivate the OpenID authentication configuration.
   2. Select **Edit** to change the public key value.