--- alias: operation-guide-security-portal-strategy-openidconnect description: "OpenID Connect integration enables user authentication and identity management within the portal" --- # OpenID Connect The integration of OpenID Connect, a layer built on top of OAuth 2.0, allows the Critical Manufacturing Security Portal to establish a login session using a RESTful HTTP API to provide user identity and authentication on top of the OAuth 2.0 framework while allowing OAuth to access protected resources. All this while using a framework that is interoperable (using JSON), simple to implement and secure. ![security_portal_openidconnect_flow][security_portal_openidconnect_flow] More information on these external guides: * [OpenID Connect explained in plain English](https://www.onelogin.com/blog/openid-connect-explained-in-plain-english) * [OIDC in a nutshell](https://infosec.mozilla.org/guidelines/iam/openid_connect.html) * [AccessToken Vs ID Token Vs Refresh Token](https://www.c-sharpcorner.com/article/accesstoken-vs-id-token-vs-refresh-token-what-whywhen/) ## Email login with OIDC providers When the Critical Manufacturing Security Portal is using OIDC providers, the following property must be added in the `tenants\config\[tenant]\dataSource\config` section of the `config.json` file: ```json "userAccountFallbackField": "MailAddress" ``` !!! note This setting uses the `MailAddress` property of the MES User instead of the `UserAccount` to validate the login to the OIDC application. [security_portal_openidconnect_flow]: ../../images/security_portal_openidconnect_flow.png