CerberAuthCerberAuth
OpenID Connect

How to Configure an application or an API with OpenID Connect?

Emmanuel Gautier Emmanuel Gautier

Developers need to configure their applications or APIs to work with OpenID Connect. Depending on the framework, libraries or OpenID Connect Provider itself, the configuration can be done in different ways. In this article, we will explore the different ways to configure an application or an API with OpenID Connect.

Automatic Configuration with OpenID Connect Discovery

OpenID Connect provides a discovery endpoint that allows clients to automatically discover the configuration details of the OpenID Connect Provider. The discovery endpoint is a well-known URL that provides metadata about the OpenID Connect Provider, including the authorization endpoint, token endpoint, userinfo endpoint, and other configuration details.

This method is the recommended way to configure an application, as it simplifies the process and avoid hardcoding the configuration details. The discovery endpoint is usually located at /.well-known/openid-configuration on the OpenID Connect Provider's domain.

Most of the time libraries have built-in support for retrieving the configuration details from the discovery endpoint. This configuration can be cached to avoid making repeated requests to the discovery endpoint.

Manual Configuration

If the automatic configuration is not possible or not desired, because of lack of support in the library, no discovery endpoint or other reasons, the configuration can be done manually. In this case, the developer needs to provide the configuration details to the application or API.

The configuration details include the following:

  • Issuer: The URL of the OpenID Connect Provider.
  • Authorization Endpoint: The URL where the client can initiate the authorization request.
  • Token Endpoint: The URL where the client can exchange the authorization code for an access token.
  • Token Authentication Method: The method used to authenticate the client at the token endpoint (e.g., client secret, private key).
  • Userinfo Endpoint: The URL where the client can retrieve the user's profile information.
  • JWKS URI: The URL where the client can retrieve the JSON Web Key Set (JWKS) used to verify the ID token signature.
  • Client ID: The client identifier issued by the OpenID Connect Provider.
  • Client Secret: The client secret issued by the OpenID Connect Provider (if using the client credentials flow).
  • Redirect URI: The URL where the OpenID Connect Provider will redirect the user after authentication.

References

Written by

Emmanuel Gautier

Emmanuel Gautier

CerberAuth Founder and Core Contributor

OpenID Connect

OpenId Connect Standard Claims

Related Articles

OpenID Connect

OpenID Connect Introduction

Difference between Authentication, Application authorization and Access Control

What is the difference between Authentication, Application authorization and Access Control?

JWT

How to Invalidate a JWT Access Token?

OAuth 2.0 Connect Token Exchange

OAuth 2.0 Connect Token Exchange

OpenID Connect

OpenID Connect and OAuth2 Standard Scopes

OAuth 2.0

What is PKCE and why you should use it?

#oauth2#openid-connect