Using Domino as an OIDC provider
The Domino HTTP task can act as an OIDC identity provider. This feature allows administrators to leverage their existing Domino HTTP authentication experience -- including passkeys, TOTP, custom domcfg login forms, and external identity providers -- to authenticate end users with applications, servers, and services that support OIDC.
OpenID Connect 1.0 (OIDC) is an authentication protocol built on top of the OAuth 2.0 framework; OIDC providers (OPs) serve the same basic role in Identity Federation as SAML identity providers (IdPs). Identity Federation enables end users to log in once against a single authorization endpoint in order to authenticate against multiple resource servers instead of logging in to each resource server individually. OAuth 2.0 clients that do not fully support the OIDC protocol can be configured to acquire access tokens from these new HTTP endpoints as an OAuth 2.0 Authorization Server (AS).
The Domino OIDC provider functionality uses signed JWT access tokens and id tokens and is fully interoperable with the HTTP Bearer authentication and Web Login with OIDC functionality in Domino 12.0.2 FP3 and higher. In accordance with current security best practices, the Domino OIDC provider supports only the Authorization Code flow with PKCE.