Skip to content

OpenID Connect (Legacy)

⚠️ WARNING

This document describes the legacy OpenID Connect implementation. It is provided for reference only and should no longer be used.

For new connections, refer to the OpenId Connect (Auth0 Self-Service) documentation.

Introduction

OpenID Connect Framework is built on top of OAuth 2.0 and specifies the Authorization(OAuth2.0) and Authentication(OIDC) of users by means of Access Tokens and Refresh Tokens.

Currently, Statista has only a handful of customers using this feature. They are found under the parameter stat_frontend.openid_connect located in this file in the monolith: Resources/config/parameters.yml.

Example:

    stat_frontend.openid_connect:
        stbm:
            dev:
                endpoint: https://ssl.muenchen.de/oidcp/
                logoutRedirect: https://ssl.muenchen.de/oidcp/logout
                client_id: CLIENT_ID
                secret: SECRET
                redirect_url: https://de.statista.com/login/openidconnect
                issuer: https://ssl.muenchen.de/oidcp
                id_user: USERID
                post_logout_redirect_uri: https://de.statista.com
                internal_redirect_route: loginOpenIdConnect

Customers use specific links to use this login method. These are the current ones:

  • www.statista.com/login/openidconnect (Münchner Stadtbibliothek)
  • www.statista.com/login/openidconnectvoebb (Verbund der Öffentlichen Bibliotheken Berlins)
  • www.statista.com/login/openidconnectstbn (Stadtbibliothek im Bildungscampus Nürnberg)

Technological Overview

  1. All the configuration is under the parameter mentioned before (stat_frontend.openid_connect).
  2. There are some routes for every customer already defined for the controller that handles the OpenID Connection in Resources/config/i18n.yml. The controller action is StatFrontendBundle:Login:loginOpenIdConnect
  3. When an OpenID Connect route is accessed, the user is redirected to the configured OpenID Connect provider's endpoint.
  4. The user signs in by entering their username and password on the provider's page.
  5. After successful authentication, the OpenID Connect provider redirects the user back to the monolith, including a token in the response.
  6. The Monolith validates the token and attempts to log the user in using the ID login method in Auth0.

How to add a new OIDC connection for a customer

To add a new OIDC connection for a customer, we have to:

  1. Add the customer's OIDC config to configfrontend
  2. Deploy the changes to production
  3. Communicate the redirect URL to the customer or CSM

1. Add the customer's OIDC config to configfrontend

  1. Create a new entry for the customer under stat_frontend.openid_connect in src/frontendbundle/Resources/config/parameters.yml.

    The following parameters are required, showing an example for the customer universitas-multimedia-nusantara. All information should be provided by the customer. For common IDPs like Google, Auth0, or Microsoft, you can find partially missing information in their documentation.

       universitas-multimedia-nusantara: # this is the customer name and part of the redirect URL
        dev:
            # please copy exactly the same parameters as in the prod section here - no adjustments!
        prod:
            # endpoint of the OIDC provider
            endpoint: https://accounts.google.com/
            # authorization endpoint of the OIDC provider
            authorization_endpoint: https://accounts.google.com/o/oauth2/v2/auth
            # token endpoint of the OIDC provider
            token_endpoint: https://oauth2.googleapis.com/token
            # JWKS URI of the OIDC provider
            jwks_uri: https://www.googleapis.com/oauth2/v3/certs
            # logout endpoint of the OIDC provider
            logoutRedirect: https://oauth2.googleapis.com/revoke
            # client ID from the OIDC provider
            client_id: 781067706590-6j96ft54sfalep766jij09kut2tigro0.apps.googleusercontent.com
            # secret for the OIDC provider, stored in AWS Secrets Manager, see secrets section below
            secret: '%env(aws:OPENID_UNIVERSITAS_MULTIMEDIA_NUSANTARA)%'
            # redirect URL for the customer, must match the customer name of this entry
            redirect_url: https://www.statista.com/login/openidconnect/universitas-multimedia-nusantara
            # issuer of the OIDC provider
            issuer: https://accounts.google.com
            # this is the statista group account ID (legacy user ID)
            id_user: 6112957

  2. Add the secret constant used in the secret parameter to the app/config/parameters.yml, e.g.

    env(OPENID_UNIVERSITAS_MULTIMEDIA_NUSANTARA): OPENID,universitas_multimedia_nusantara

    This will configure the environment variable OPENID_UNIVERSITAS_MULTIMEDIA_NUSANTARA which will be loaded from AWS Secrets Manager in production. The secret name in AWS Secrets Manager is OPENID, the key is the value specified after the comma, in this case universitas_multimedia_nusantara. This is the key to be added in the next step.

  3. Add the customer's OIDC client secret to the OPENID secret in AWS Secrets Manager (production only), which is in the AWS account frontendlegacy-prod-86e0df (677339016065). Use the key specified in the previous step, e.g. universitas_multimedia_nusantara, and set the value to the OIDC client secret provided by the customer.

  4. Test the new configuration in the local development environment. That is why we add the same configuration under the dev section in the parameters.yml file.

    • Set the environment variable OPENID_UNIVERSITAS_MULTIMEDIA_NUSANTARA in your local .env file to some dummy value, e.g.: 
      OPENID_UNIVERSITAS_MULTIMEDIA_NUSANTARA=a_dummy_value_for_local_testing
    • Start the monolith locally — should work as normal.
    • Go to the configured redirect URL, in this case: https://www.statista.test/login/openidconnect/universitas-multimedia-nusantara.
    • You should be forwarded to the customer's IdP (e.g., Google, Auth0, etc.) for authentication. As we do not have a real account and a real OIDC setup, this might also result in an error, which is expected.
      • In the case of Google, you expect the error message "Error: redirect_uri_mismatch" because the redirect URL is not registered in the Google OIDC configuration. Google OIDC Error

  5. If the test is successful, commit the changes to the repository and create a PR on develop branch.

2. Deploy the changes to production

  • Once the PR is merged, deploy the changes to production using a hotfix deployment, if not urgent, a PR to the current release branch is sufficient.

3. Communicate the redirect URL to the customer or CSM

  • Inform the CSM about the new customer configuration, the deployment timeline and provide them with the redirect URL.
  • The CSM will then communicate this to the customer when deployed on production.

Additional information

The official documentation is pretty clear how OpenID Connect works: https://openid.net/developers/how-connect-works/

Testing

We don't have an OIDC setup that we manage ourselves right now. So we only rely on test credentials we received from our clients, if provided.

Since they are available for the production environment only, please find them in the CPE_Internal collection in Bitwarden.

How to set up a test OIDC connection using our US dev tenant Auth0 as IdP

Note: This requires manual changes in the auth0 dev tenant configuration, which should be avoided, and might get overwritten by the next deployment of the auth0 terraform provider. This is only for testing purposes and should not be used in production.

1. Add Statista to the customer's Open ID Connect Provider

You need to set up the OpenID Connect provider for the new customer. The procedure may vary depending on the provider but in this case, we will explain how to do it using Auth0.

  1. Go to Applications > Applications and click on the application you want to configure (e.g. Statista).
  2. Go to the Settings tab and scroll down to the Allowed Callback URLs section.
  3. Add the following URL to the list of allowed callback URLs: 
    https://www.statista.test/login/{OPENID_CONNECT_CUSTOMER}
    (replace {OPENID_CONNECT_CUSTOMER} with the name of the customer you are configuring).
  4. Ensure the JWT Signature Algorithm is set to HS256. For this scroll down to the Advanced Settings section and click on OAuth. There you have to set HS256 as the JWT Signing Algorithm and disable the OIDC Conformant option.

2. Add the customer to our monolith

auth0_test: # THIS IS THE CUSTOMER NAME
dev:
endpoint: https://dev-lxnnhamnh30kxnzf.us.auth0.com/oauth/ # ENDPOINT OF THE OIDC PROVIDER
logoutRedirect: https://dev-lxnnhamnh30kxnzf.us.auth0.com/oidc/logout # LOGOUT ENDPOINT OF THE OIDC PROVIDER
client_id: AUTH0_APPLICATION_CLIENT_ID # CLIENT ID FROM THE OIDC PROVIDER
secret: AUTH0_APPLICATION_SECRET # CLIENT SECRET FROM THE OIDC PROVIDER
redirect_url: https://www.statista.test/login/openidconnect-test-auth0/ # NEW URL THAT WE ADDED BEFORE
issuer: https://dev-lxnnhamnh30kxnzf.us.auth0.com/
id_user: USER_ID
post_logout_redirect_uri: https://www.statista.test
internal_redirect_route: loginOpenIdConnectTestAuth0 # NAME OF THE ROUTE
Last updated: March 24, 2026 at 10:39
By: Axel Tetzlaff