Developer Pages

# OIDC Examples

# Client Secret Flow examples

Example client secret redirect for starting the authenticate flow using client credentials:

https://yourbrokerdomain/broker/sp/oidc/authenticate?
client_id=y6VLAK0c2Q0uBtga36BiNmxz7o0AaeaC
&scope=openid
&response_type=code
&redirect_uri=https%3A%2F%2Fyourspdomain%2Foidc%2Flogin%2Fresponse
&state=0386RDbo7CI3MgY_oiqBAuxgOfneNGCHqDrlHg7ltPk
&nonce=tggykvrGuAjqhBk4VA2AWPlQ3M02_GJBnl5pbIOc55w

Via scope a number of things can be communicated. To see all the options, visit the .well-known/openid-configuration endpoint:

https://yourbrokerdomain/broker/sp/oidc/.well-known/openid-configuration

The scopes_supported is a json array and may look like:

"scopes_supported":[
  "openid", 
  "service:saml_sp_1", 
  "service:sp_1", 
  "idp_scoping:beid", 
  "idp_scoping:https://was-preprod1.digid.nl/saml/idp/metadata",
  "idp_scoping:https://was-preprod1.digid.nl/saml/idp/metadata_app", 
  "idp_scoping:https://yourbrokerdomain/broker/authn/ciam", 
  "idp_scoping:uzi-pas", 
  "idp_scoping:urn:etoegang:HM:00000003244440010000:entities:9632",
  "1", 
  "2"]

The following scopes can be identified:

  • openid (indicates you want an id token)
  • service: see for more information the broker services page here
  • idp_scoping: this can be used to convey Identity Provider (IdP) scoping using OIDC (in order to skip the Identity Provider selection screen)
  • indices (these can be used to log in to a certain eHerkenning service index) and will only be present if you have eHerkenning configured as an IdP.

NOTE

In case you want to use one of these scopes, make sure to URL encode it.

For example, scoping a bank in iDIN:

scope=openid%20idp_scoping%3Aidin%20idp_scoping%3ABANKNL2Y%20name

# PKCE Flow examples

Example redirect for starting the authenticate flow using PKCE flow:

https://yourbrokerdomain/broker/sp/oidc/authenticate?
scope=openid
&response_type=code
&redirect_uri=https://yourspdomain/redirect
&state=ade9d8cc37e0424e949b5a6c8049fc3b
&code_challenge_method=S256
&client_id=kdS3agHrJv2i9PiZC4kHAXxWQvG1zaQ5
&code_challenge=VuWTsxohNJ6E6TKGWz2anu5EqLeWReJuz--BR6iyq-c
&response_mode=query

Retrieve the ID token using authorisation code:

https://yourbrokerdomain/broker/sp/oidc/token?
code=A5NEx8VG+/dQHfR8T2fIuP4QYX1V1odhLwsbF6LyOUE=
&grant_type=authorization_code
&redirect_uri=https://yourspdomain/someredirect
&client_id=kdS3agHrJv2i9PiZC4kHAXxWQvG1zaQ5
&code_verifier=f0a0e3cb6d8943d3885410a930783b31a394cf6d6aae4e6882533720d16fec0c952a41ac0d4f4293993990d61ffece48

# Logout examples

For a frontchannel logout, redirect the user to:

https://yourbrokerdomain/broker/sp/oidc/logout?
id_token_hint=eyJraWQiOiJrOFJUVmJFTy1PN09ndGpNdVJmYkVVMlhKalRYcDFVTmlr...
&post_logout_redirect_uri=https%3A%2F%2Fyourdomain/logoutCompleted
Last updated: 9/20/23, 12:13:17 PM UTC

Requested Attributes (OIDC)