Skip to content

OpenID Connect (OIDC)

Authrim provides full OpenID Connect Core 1.0 compliance, enabling secure authentication for your applications.

  • Standard: OpenID Connect Core 1.0
  • Conformance: OpenID Certification conformance test suite compatible
  • Discovery: Full OIDC Discovery support
Section titled “Authorization Code Flow with PKCE (Recommended)”

The most secure flow for all client types:

Client → Authorization Endpoint → User Login → Authorization Code
Client → Token Endpoint (+ PKCE) → Access Token + ID Token

For applications that need both immediate identity verification and backend token exchange:

  • code id_token
  • code token
  • code id_token token

For legacy applications only (not recommended for new implementations):

  • id_token
  • id_token token

Retrieve the OpenID Provider configuration:

GET /.well-known/openid-configuration

Response:

{
"issuer": "https://auth.example.com",
"authorization_endpoint": "https://auth.example.com/authorize",
"token_endpoint": "https://auth.example.com/token",
"userinfo_endpoint": "https://auth.example.com/userinfo",
"jwks_uri": "https://auth.example.com/.well-known/jwks.json",
"registration_endpoint": "https://auth.example.com/register",
"introspection_endpoint": "https://auth.example.com/introspect",
"revocation_endpoint": "https://auth.example.com/revoke",
"pushed_authorization_request_endpoint": "https://auth.example.com/par",
"device_authorization_endpoint": "https://auth.example.com/device_authorization",
"scopes_supported": ["openid", "profile", "email", "address", "phone"],
"response_types_supported": ["code", "id_token", "id_token token", "code id_token", "code token", "code id_token token", "none"],
"response_modes_supported": ["query", "fragment", "form_post", "query.jwt", "fragment.jwt", "form_post.jwt", "jwt"],
"grant_types_supported": ["authorization_code", "refresh_token", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "urn:ietf:params:oauth:grant-type:device_code", "urn:openid:params:grant-type:ciba", "urn:ietf:params:oauth:grant-type:token-exchange", "client_credentials"],
"subject_types_supported": ["public", "pairwise"],
"id_token_signing_alg_values_supported": ["RS256"],
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"],
"code_challenge_methods_supported": ["S256"],
"dpop_signing_alg_values_supported": ["ES256", "RS256", "PS256", "EdDSA"],
"end_session_endpoint": "https://auth.example.com/logout"
}

Grant types and optional async endpoints are filtered by tenant profile and feature flags, so production metadata should be treated as the source of truth for each tenant.

Retrieve the JSON Web Key Set for ID token verification:

GET /.well-known/jwks.json

Response:

{
"keys": [
{
"kty": "RSA",
"kid": "key-id-1",
"use": "sig",
"alg": "RS256",
"n": "...",
"e": "AQAB"
}
]
}
GET /authorize
?response_type=code
&client_id=my_client_id
&redirect_uri=https://myapp.example.com/callback
&scope=openid+profile+email
&state=random_state_value
&nonce=random_nonce_value
&code_challenge=...
&code_challenge_method=S256
Host: auth.example.com

Parameters:

ParameterRequiredDescription
response_typeYescode for authorization code flow
client_idYesClient identifier
redirect_uriYesRegistered redirect URI
scopeYesMust include openid
stateRecommendedCSRF protection
nonceRequired for OIDCID token binding
code_challengeRecommendedPKCE code challenge
code_challenge_methodRecommendedMust be S256

User is redirected to the login page and authenticates.

HTTP/1.1 302 Found
Location: https://myapp.example.com/callback
?code=authorization_code_value
&state=random_state_value
POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <base64(client_id:client_secret)>
grant_type=authorization_code
&code=authorization_code_value
&redirect_uri=https://myapp.example.com/callback
&code_verifier=pkce_code_verifier
{
"access_token": "eyJhbGciOiJSUzI1NiJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiJ9...",
"refresh_token": "eyJhbGciOiJSUzI1NiJ9...",
"scope": "openid profile email"
}

The ID Token is a JSON Web Token (JWT) containing user identity claims:

{
"iss": "https://auth.example.com",
"sub": "user-id-123",
"aud": "my_client_id",
"exp": 1699880000,
"iat": 1699876400,
"nonce": "random_nonce_value",
"auth_time": 1699876400,
"acr": "urn:mace:incommon:iap:silver",
"at_hash": "...",
"name": "John Doe",
"email": "john@example.com",
"email_verified": true
}
ClaimDescription
issIssuer identifier
subSubject identifier (user ID)
audAudience (client ID)
expExpiration time
iatIssued at time
nonceNonce from authorization request
auth_timeTime of authentication
acrAuthentication context class reference
amrAuthentication methods reference
at_hashAccess token hash
c_hashCode hash (hybrid flow)
ClaimDescription
nameFull name
given_nameFirst name
family_nameLast name
nicknameNickname
preferred_usernamePreferred username
pictureProfile picture URL
localeLocale
zoneinfoTime zone
updated_atLast update time
ClaimDescription
emailEmail address
email_verifiedEmail verification status

Retrieve user profile information:

GET /userinfo HTTP/1.1
Authorization: Bearer <access_token>

Response:

{
"sub": "user-id-123",
"name": "John Doe",
"given_name": "John",
"family_name": "Doe",
"email": "john@example.com",
"email_verified": true,
"picture": "https://example.com/photo.jpg"
}
POST /register HTTP/1.1
Content-Type: application/json
{
"client_name": "My Application",
"redirect_uris": ["https://myapp.example.com/callback"],
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"],
"token_endpoint_auth_method": "client_secret_basic"
}

Response:

{
"client_id": "generated_client_id",
"client_secret": "generated_client_secret",
"client_id_issued_at": 1699876400,
"client_secret_expires_at": 0,
"redirect_uris": ["https://myapp.example.com/callback"],
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"]
}
ScopeDescription
openidRequired for OIDC, returns sub claim
profileReturns profile claims (name, picture, etc.)
emailReturns email and email_verified claims
addressReturns address claim
phoneReturns phone_number and phone_number_verified

Refresh token availability is controlled by client metadata and tenant profile. Use the refresh_token grant advertised in discovery instead of assuming an offline_access scope.

  1. Always use PKCE - Prevents authorization code interception
  2. Use state parameter - Prevents CSRF attacks
  3. Use nonce parameter - Prevents ID token replay
  4. Validate ID tokens - Verify signature, issuer, audience, expiration
  5. Use short-lived tokens - Minimize impact of token theft
  6. Implement proper logout - Revoke tokens on logout