Skip to main content
Third-party Integration

OIDC integration

This guide shows you how to integrate OpenID Connect (OIDC) with your application, outlining the configuration steps and key considerations.
Applicable editionDedicated Edition

Background information

OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. It allows applications to verify a user's identity and obtain basic profile information in a secure and standardized way.

Built-in users

Enterprise administrators can configure and manage OIDC integration in Enterprise Management > Third-party Integration. To create users that are not in your OIDC provider, select the Support built-in users, and allow creating users outside the synchronization scope checkbox.

Configure OIDC

Step 1: Configure the OIDC client

Before you begin, ensure you have an OIDC client configured in your identity provider. Enter the following information:
  • Client ID
  • Client Secret
  • Issuer URL
The page displays a callback URL: https://yunxiao.aliyun.com/users/callback/oidc. Copy this URL and add it to your OIDC provider's configuration. To bypass certificate validation, enable the Skip HTTPS verification toggle. After you enter the information, click Next.

Step 2: Configure account binding and attribute mapping

You can identify and bind accounts using one of the following four methods:
  • Automatically bind accounts with the same email address.
  • Automatically bind accounts with the same login ID.
  • Automatically bind accounts with the same phone number.
  • Automatically bind accounts with the same employee ID.
Ensure that the attribute for your chosen method is unique and exists in your sync source. Qoder CN uses this attribute to match accounts. The following diagram shows the binding process when you select Automatically bind accounts with the same email address: Next, configure the user attribute mapping. Qoder CN will map user information based on these settings. Enter the Account Unique Identifier. This attribute uniquely identifies an OIDC user account and cannot be changed after submission. The default user attribute mappings are as follows: Name maps to name, Login ID maps to user_name, Email maps to email, Phone maps to mobile, Employee ID maps to employId, and Nickname maps to nickname. When you are finished, click Next.

Step 3: Enable single sign-on

Single sign-on (SSO) is disabled by default. After you enable it, configure the following settings:
  • Add the Qoder CN callback URL to your OIDC client configuration.
  • Customize the Display Name and Display Icon. Qoder CN will use these to display the OIDC login option on the sign-in page.
  • Allow creating a Qoder CN account on first login:
    • If disabled (default), users can only bind to existing Qoder CN accounts. If no match is found, a new account will not be created.
    • If enabled, Qoder CN automatically creates and binds a new account when it finds no existing match.
You can save the configuration without enabling single sign-on. You can enable it later from the OIDC integration details page. In the single sign-on section, click Enable Service. After you complete the configuration, click Save.

Sign in to Qoder CN with OIDC

After you enable single sign-on, the OIDC login option appears on the Qoder CN sign-in page. Click the option to go to the OIDC sign-in page. Users with a bound OIDC account can sign in there.

Sign out

Signing out of Qoder CN also ends your session with the OIDC identity provider (IdP).

Session duration

The session duration is determined by the settings in Qoder CN. If a session exceeds the configured time limit, Qoder CN signs you out. You must sign in again to continue.

Modify OIDC configuration

On the OIDC integration details page, click View/Modify Configuration. In the drawer that opens, you can modify user attribute mappings. You cannot change other configuration settings.

Disable single sign-on

On the OIDC integration details page, click Modify Service Configuration. In the drawer that opens, you can disable the single sign-on service. Disabling the service has the following effects:
  • The account binding between Qoder CN accounts and OIDC accounts is not removed.
  • Users can no longer sign in to Qoder CN using OIDC. To sign in to Qoder CN, they must use their Qoder CN username and password.

Remove OIDC integration

On the OIDC integration details page, click Remove Integration and confirm the action. This has the following effects:
  • The account binding between Qoder CN accounts and OIDC accounts is removed.
  • Users can no longer sign in to Qoder CN using OIDC. To sign in to Qoder CN, they must use their Qoder CN username and password.
Guides
Tutorials
  • Coding with Qoder CN
Developer Reference