Open ID Connect (OIDC)
The OIDC login provider uses the OpenID Connect (OIDC) authorization code flow to authenticate a user. All OIDC compliant identity providers (IdP) are supported, this includes Keycloak, Microsoft Azure, Google.
PKCE (Proof Key for Code Exchange)
Although PKCE was originally introduced for public clients (mobile/SPA apps that cannot keep a client secret), the OAuth 2.0 Security Best Current Practice (RFC 9700) now recommends it for all clients, including confidential ones like Studo Flow. The upcoming OAuth 2.1 standard is expected to make PKCE mandatory across the board.
Studo Flow supports PKCE (RFC 7636) as an optional security enhancement for
the authorization code flow.
PKCE protects against authorization code interception attacks. It can be enabled via the enablePkce configuration key
on the OIDC login provider.
PKCE requires your IdP to support it. Most modern IdPs (Keycloak 8+, Azure AD, Google) do. Enable it only after confirming support — mismatched PKCE configuration will break logins.
Backchannel logout
If the OIDC provider supports backchannel logout, Studo Flow also supports it. The IdP must be configured to send backchannel logout requests to the Studo Flow backchannel logout endpoint:
https://<your-flow-domain>/oidc/backChannelLogout
Limitations
All users who log in via the OIDC login provider must already exist in the Studo Flow database (created by an importer). Currently, it's not possible to create a user "on-demand" when logging in.
Using Keycloak
See Keycloak example.
Using CAMPUSonline
Every CAMPUSonline deployment has a Keycloak instance.