IdP Configuration Guide

1. Required IdP Settings

Register a client/application in your IdP with the following settings:

• Redirect URI: must exactly match OIDC_REDIRECT_URI (e.g. https://app.example.eu/api/auth/callback)

• Allowed grant types: authorization_code, refresh_token

• PKCE: required (S256 code challenge method)

• Back-channel logout URL: https://app.example.eu/api/auth/backchannel-logout

2. Claim Configuration

Ensure the following claims are included in the ID token:

3. Group/Role Mapping

Create a group named ai4drpm-admins (or the value of OIDC_ADMIN_GROUP) in the IdP. Users in this group receive ["user", "admin"] scopes; all other users receive ["user"].

4. EULogin-Specific Notes

• Set OIDC_PROVIDER=eulogin

• Back-channel logout is supported via the /api/auth/backchannel-logout endpoint

• EULogin issues a logout_token in the back-channel logout request; the app validates it and revokes all active refresh tokens for the affected user