OpenID Connect(OIDC)
OpenID Connect (OIDC) is a modern identity layer built on top of the OAuth 2.0 protocol. It enables applications to authenticate users by delegating identity verification to trusted external Identity Providers (IdPs) such as Google, Okta, Auth0, Azure AD, and other OIDC-compliant systems.
WaveMaker supports OpenID Connect authentication, allowing applications to rely on standardized token-based identity verification instead of managing credentials directly. This approach improves security, simplifies login flows, and enables seamless single sign-on (SSO) across applications.
In a WaveMaker application:
- WaveMaker acts as the Client / Relying Party
- An external system acts as the OpenID Provider (IdP)
How OpenID Authentication Works in WaveMaker
- A user attempts to access a secured WaveMaker application or page.
- The application redirects the user to the configured OpenID Provider.
- The Identity Provider authenticates the user.
- After successful authentication, the provider issues an ID Token (and optionally an access token).
- WaveMaker validates the token and establishes a user session.
- User identity and roles are resolved.
- Authorization rules are applied.
This flow allows secure authentication without exposing user credentials to the application.
OpenID Integration Architecture
- Client (WaveMaker): Requests authentication and validates tokens
- Identity Provider (IdP): Authenticates users and issues tokens
- ID Token (JWT): Cryptographically signed token containing user identity
- Metadata Discovery: Provider configuration retrieved using a discovery endpoint
WaveMaker uses OpenID metadata to dynamically discover provider endpoints, supported scopes, and signing keys.
Supported Identity Providers
WaveMaker OpenID integration works with any OpenID Connect–compliant provider, including:
- Azure Active Directory
- Okta
- Auth0
- Keycloak
- Custom enterprise OpenID providers
Configuring OpenID Authentication in WaveMaker
-
OpenID Connect authentication enables Single Sign-On (SSO) by allowing users to log in through external Identity Providers such as Google, Azure AD, or other OpenID-compliant providers.
-
Security must be enabled in the application to ensure that protected pages, services, and APIs are accessible only to authenticated users.
-
The OpenID Connect option can be configured as the authentication provider by assigning a unique provider name and optionally setting it as the primary authentication mechanism.
-
Identity Provider configuration is completed using the Discovery URL, which allows WaveMaker to automatically retrieve provider metadata.
- Discovery URL
- Provides OpenID configuration details exposed by the Identity Provider.
- Example:
https://accounts.google.com/.well-known/openid-configuration - WaveMaker automatically retrieves:
- Authorization endpoint
- Token endpoint
- User info endpoint
- Signing keys (JWKS)
- Discovery URL
-
Client credentials must be configured by registering the WaveMaker application with the Identity Provider:
- Client ID
- Client Secret
- Redirect URI generated by WaveMaker
These credentials establish trust between WaveMaker and the Identity Provider and enable secure authentication.
-
Attribute mapping is used to map OpenID claims to WaveMaker user fields:
- Subject or Username
- Display Name
- Roles or Groups (optional)
-
Role assignment can be handled in two ways:
- Roles can be extracted directly from token claims.
- Roles can be resolved from a database using the authenticated user identifier.
-
After successful authentication, WaveMaker enforces authorization rules across the application:
- Access to pages, services, and APIs is controlled based on assigned roles.
- Unauthorized users are prevented from accessing restricted resources.
Runtime Behavior
At runtime:
- Users are redirected to the Identity Provider for authentication
- Tokens are validated using provider signing keys
- Sessions are established securely
- Security context is applied across UI, services, and APIs
This ensures consistent security enforcement across the application stack.
Token Validation and Security
WaveMaker validates OpenID tokens by:
- Verifying JWT signatures using provider public keys
- Validating issuer, audience, and expiration
- Protecting against token replay
- Enforcing authentication and authorization server-side
All validation occurs on the backend to prevent client-side manipulation.
Generated Backend Code
When OpenID Connect authentication is configured in WaveMaker, the platform automatically generates a security service that manages authentication, authorization, and request interception at runtime. This structure is platform-managed and should not be edited manually.
Project Structure
services/
└── securityService
├── designtime
│ ├── auth-info.json
│ ├── general-options.json
│ ├── intercept-urls.json
│ ├── roles.json
│ ├── securityService_API.json
│ ├── service-info.json
│ └── wm-xss-policies.json
└── src
└── servicedefs
└── securityService-service-definitions.json
Design-Time Configuration (designtime)
The designtime folder contains security configuration created through WaveMaker Studio. These files define how OpenID authentication and authorization are applied across the application.
-
auth-info.json
Stores OpenID provider details such as issuer URL, client ID, scopes, and token endpoints. -
general-options.json
Defines global security settings including session management, token behavior, CORS, CSRF, and SSL options. -
intercept-urls.json
Specifies secured URL patterns and the access levels required to invoke them. -
roles.json
Defines application roles used for role-based access control (RBAC). -
securityService_API.json
Exposes internal security-related APIs used by the WaveMaker platform. -
service-info.json
Contains metadata describing the security service. -
wm-xss-policies.json
Configures XSS protection policies enforced at runtime.
Runtime Service Definitions (src/servicedefs)
The service definition files connect the design-time security configuration to the backend runtime. They enable consistent, server-side enforcement of:
- OpenID authentication
- Token validation
- Role resolution
- Authorization rules
How It Works at Runtime
At runtime, WaveMaker intercepts secured requests and redirects users to the configured OpenID Identity Provider for authentication. Once authentication is successful, the issued ID and access tokens are validated, a security context is established, user roles are resolved, and authorization rules are enforced entirely on the server.
This ensures secure and consistent access control across application pages, services, and APIs.
Application Configuration Properties
Whenever security is configured in WaveMaker, the platform automatically generates configuration properties that can be mapped to different environments such as Development, QA, or Production.
You can view and manage these properties in the Profiles.
For more information, refer to the Profiles section in the documentation.
For more details on environment-specific configurations, refer to the Deployment Profiles section.
Click to expand configuration properties
# Security Configuration (OPEN ID GOOGLE)
security.activeProviders=OPENID.google
security.enabled=true
security.general.client.ssl.hostNameVerification.enabled=true
security.general.cookie.base64Encode=true
security.general.cookie.jvmRoute=
security.general.cookie.maxAge=-1
security.general.cookie.path=
security.general.cookie.sameSite=
security.general.cors.allowCredentials=false
security.general.cors.enabled=false
security.general.cors.maxAge=1600
security.general.cors.pathEntries.root.allowedOrigins=*
security.general.csp.enabled=false
security.general.csp.policy=
security.general.frameOptions.allowFromUrl=
security.general.frameOptions.enabled=true
security.general.frameOptions.mode=SAMEORIGIN
security.general.login.maxSessionsAllowed=-1
security.general.mtls.enabled=false
security.general.mtls.keystore.file=
security.general.mtls.keystore.fileType=
security.general.mtls.keystore.password=
security.general.rememberMe.enabled=false
security.general.rememberMe.timeOut=1296000
security.general.request.allowedHosts=
security.general.session.timeout=30
security.general.ssl.enabled=false
security.general.ssl.port=443
security.general.tokenService.enabled=true
security.general.tokenService.parameter=WM_AUTH_TOKEN
security.general.tokenService.tokenValiditySeconds=1800
security.general.truststore.config=SYSTEM_ONLY
security.general.truststore.file=
security.general.truststore.fileType=
security.general.truststore.password=
security.general.xsrf.enabled=true
security.general.xss.dataBackwardCompatibility=false
security.general.xss.enabled=true
security.general.xss.sanitizationLayer=OUTPUT
security.providers.openId.google.authorizationUrl=https://accounts.google.com/o/oauth2/v2/auth
security.providers.openId.google.clientId=***.apps.googleusercontent.com
security.providers.openId.google.clientSecret=***
security.providers.openId.google.jwkSetUrl=https://www.googleapis.com/oauth2/v3/certs
security.providers.openId.google.logoutUrl=
security.providers.openId.google.roleMappingEnabled=true
security.providers.openId.google.roleProvider=OPENID
security.providers.openId.google.scopes=openid,email,profile
security.providers.openId.google.tokenUrl=https://oauth2.googleapis.com/token
security.providers.openId.google.userInfoUrl=https://openidconnect.googleapis.com/v1/userinfo
security.providers.openId.google.userNameAttributeName=email
security.session.persistence.type=in-memory
When to Use OpenID Connect
OpenID Connect is recommended in the following scenarios:
- Modern cloud-based and SaaS applications
- Social login and enterprise identity integrations
- Applications requiring token-based authentication
- Environments that follow OAuth 2.0 and OpenID Connect standards
Summary
OpenID Connect integration in WaveMaker enables secure and modern authentication using industry-standard, token-based identity verification. By delegating authentication to trusted Identity Providers, validating signed tokens, and enforcing role-based access entirely on the server, WaveMaker delivers scalable and secure authentication with minimal configuration effort.