Developer Pages

# FAQs about OIDC

Get answers to frequently asked questions about your OIDC implementation with Signicat.

List of FAQs

# How do I add more redirect URIs?

Go to your OIDC client in the Dashboard (opens new window) and select Edit. In the URIs tab, you can change, remove or add multiple URIs.

# How do I change the allowed scopes?

Go to your OIDC client in the Dashboard (opens new window) and select Edit. In the Access tab, you can manage the allowed scopes.

# I lost or want to change a client secret - what do I do now?

If you lose a client secret, you must generate a new one.

The value of a client secret cannot be recovered because Signicat only stores the hash code of the secret, for security reasons.

Client secrets are automatically generated and their value cannot be customised. This is a security feature.

# Why can't I see all the claims in the ID token?

When you create a client, it is configured to return only the claims defined in the OIDC standard (standard scopes).

To change this, go to your OIDC client in the Dashboard (opens new window) and select Edit. In the Advanced > Security tab, you can choose the level of Id Token User data.

Other reasons why you don't receive all the claims data could be:

  • The end-user data is not present in the IdP database.
  • The IdP did not return the data requested.
  • The end-user did not consent to sharing the data.

# How can I get end-users to re-authenticate every time? (Disable SSO)

Passing the query parameter prompt=login in your authorization request will force re-authentication every time.

# How do I auto-select a specific IdP? (Skip IdP selection screen)

To control which IdPs to display to your end-users, you can use the acr_values query parameter with the format acr_values=idp:idp_name.

Learn more about this feature in the IdP discovery documentation.

# How do I show only certain IdPs?

Go to your OIDC client in the Dashboard (opens new window) and select Edit. In the Access tab, you can configure the Identity provider restrictions.

Learn more about this feature in the IdP discovery documentation.

# How do I enable PKCE?

Go to your OIDC client in the Dashboard (opens new window) and select Edit. In the Advanced > Security tab, tick the Require PKCE box.

We strongly recommend using PKCE. See the section on Advanced security considerations for further information.

# How do I enable additional encryption and/or signing of messages?

There are two supported options:

  1. Signicat sends you encrypted/signed responses. Learn more here.
  2. You send encrypted/signed requests to Signicat. Learn more here.

# How do I change the language in the authentication flow?

Localisation best practices suggest giving users control over their language preferences. Browsers support user language customisation - sent via the “Accept-Language” request header.

Signicat uses the preferred languages, if available. The fallback language is set to English, by default. Note that IdPs might support many languages: English and the IdP native language.

In cases where you want to override end-user language preferences, use the authorization query string parameter ui_locales, according to OIDC specifications.

# How do I send prefilled information?

See the login_hint documentation.

# Can I send extra information in a request, and get it in a response?

The OIDC/OAuth specification does not have any recommended way. The OAuth 2.0 specification states that redirect URIs must be absolute URIs.

Ideally, your system should be agnostic. It should handle authentication requests and complete the process based on the end-user data obtained from the ID token.

If this is not possible you can consider encoding data in the “state” parameter. This is not an official method but a widespread workaround. The data can be base64 encoded, with a hash or a reference, or encoded as a compact JWT.

Last updated: 08/05/2024 11:49 UTC

Overview