# Setup OpenID flow

## Setup OData connector configuration

Select OpenId as Runtime authentication.

<figure><img src="/files/jg3wqPult25Iqg2mkv41" alt=""><figcaption></figcaption></figure>

## Flow Server OpenId configuration

### Create IFS IAM Client

Create IAM Client with same setup as in example below.&#x20;

{% hint style="info" %}
Name IAM client so that it can be identified as being used by Flow. Also adding postfix describing authentication type would be a good idea.

Example name: NC\_Flow\_OpenId or Novacura\_OpenId
{% endhint %}

<figure><img src="/files/UAnRtIWh4UPbzteIwttc" alt=""><figcaption><p>Example IAM client for supporting OpenId</p></figcaption></figure>

{% hint style="info" %}
Use same name for same type of IAM client in all customers IFS Cloud instances.
{% endhint %}

### Setup OpenId in Flow Server

Add **Authority URL** and **ClientId** based on IFS Cloud info.

All the rest configurations can set as in example below.

<figure><img src="/files/smoZ31OBdCFliK3EZoKh" alt=""><figcaption><p>Example OpenId configuration in Flow Server</p></figcaption></figure>

#### AuthorityURL

Get **Issuer URL** value from IFS Cloud.

{% content-ref url="/pages/pehKlFbKxppGwLyn2F5y" %}
[Obtaining Authentication related URLs from IFS Cloud](/flow-ifs-cloud-development-guidelines/flow-development-with-odata/configuration/authentication-models/obtaining-authentication-related-urls-from-ifs-cloud.md)
{% endcontent-ref %}

#### ClientId

Add previously created IAM Client Id.

## IFS User and Flow Server User Setup

Flow User ID must be same as IFS Users Directory Id

<figure><img src="/files/K3HerNf1ZPRVtgVBnxqT" alt=""><figcaption><p>IFS User setup</p></figcaption></figure>

<figure><img src="/files/8m52X2YbPctQcv2zv8fZ" alt=""><figcaption><p>Same user in flow server</p></figcaption></figure>

{% hint style="info" %}
If users are synchronized to Flow Server from Azure AD, follow instructions

<https://help.novacuraflow.com/development/flow-studio/environment/active-directory-sync>

**OPEN ISSUE: If synchronization is set up, is there any effect in having "Use sync source for authentication" checked which is automatically set up during synchronization???**

![](/files/RM0x97aHfDacWQ00vDnO)
{% endhint %}

## WIP - Effect to Flow development

Flow apps using connector with Runtime authentication type OpenId authentication cannot be debugged in Studio.&#x20;

For flow developer this means that prior debugging connector in flow must be changes to connector using Runtime authentication type of Client Credentials or Password Credentials. Alternatively, if flow has a lot of fragments and changing the connectors in all fragments takes a lot of time you can have copy of the flow (+ fragments) using connector using Runtime authentication type of Client Credentials or Password Credentials.

Notice that possible to have connector using Password Credentials requies that IFS User has password defined in IFS and SSO login is disabled.

If flow uses projections that require authentication as actual user in IFS, then debugging can only be done by running tests in NC client.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.novacura.com/flow-ifs-cloud-development-guidelines/flow-development-with-odata/configuration/authentication-models/setup-openid-flow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.