Skip to main content

Set up an OIDC client

Before you can start authenticating users, you must register an OIDC client in the Signicat Dashboard. An OIDC client comes with a Client ID. Depending on the authentication grant type (flow) you want to implement, you can associate a secret to the client.

On this page, you'll find instructions to set up an OIDC client in the Dashboard. You'll learn how to create and configure a client and prepare yourself to connect to eIDs through the Signicat eID Hub. You can also watch a video that shows how to set up an OIDC client in the Tutorial videos section.

Add a new OIDC client

To add a new OIDC client in the Signicat Dashboard, do the following:

  1. In the Signicat Dashboard, navigate to Products > eID Hub > OIDC clients.
  2. Select Add client.
  3. Configure the following properties:
    • Primary grant type: Choose the grant type you want to implement. We strongly recommend AuthorizationCode. For more information about grant types, refer to the OIDC specification and the OAuth 2.0 specification.
    • Create client from template: Optional. Choose a template to prefill your client configuration.
    • Client name: Enter a name for the client.
    • Redirect URI: Enter the URL where you want to redirect your end-user after they authenticate with an eID. You can add several redirect URIs after you create the client.
    • Scope: Select the scopes for the user attributes you want to retrieve with this client. openid is mandatory. profile and nin are necessary in most cases. You can see the definition of profile and other predefined scopes in the OIDC specification. You find scope definitions in the specific eIDs documentation.
  4. Select Create to create the new client.
Success!

You have now created a new OIDC client. You can view and edit the OIDC client on the Products > eID Hub > OIDC clients page.

Before you start using the client in your app, you might need to add extra configurations. The next sections explain how to configure your client for the type of authentication flow you want to implement.

How to create a client secret

To add a secret to your OIDC client, do the following:

  1. In the Signicat Dashboard, navigate to Products > eID Hub > OIDC clients.
  2. Select Edit next to your client name.
  3. In the client menu, go to the Secrets tab, then select Add secret.
  4. Enter a name for your client secret, then select Generate secret.
  5. Copy your new client secret and store it safely.
Important

Make sure you save your client secret. You will only be able to view your client secret once, right after you create it. If you ever forget or lose your client secret, you have to create a new one.

Further OIDC configuration options

Here's an overview of other configuration options that you can set for your client:

  • If you want to enable PKCE, click Security > Require PKCE. We strongly recommend using PKCE.
  • If you require encryption, you can upload a public key in Advanced > Public keys. If a particular eID requires encryption, you can find more details about how to upload the required public key in the configuration instructions.
  • To configure additional redirect URIs, go to URIs, then select Add new.
  • To add or remove scopes from your client, go to Access.

Tutorial videos

Set up an OIDC client

This tutorial video shows you how to set up an OpenID Connect Client for our solutions in the Signicat Dashboard.

Try it out!

The website https://oauth.tools/ is an excellent resource made by one of our commercial partners, Curity.

The website allows you to graphically explore and play around with any number of OIDC and OAuth2 flows. This intuitive no-code approach is helpful for understanding all of the different flows and options available in our Dashboard.

You can enter the Signicat Playground directly at https://oauth.tools/signicat or import an existing client, as explained in the Using your account and clients section below.

Using your account and clients

You can test a connection with any existing OIDC client. To do this:

  1. In the Signicat Dashboard, navigate to Products > eID Hub > OIDC clients and select Edit next to your client.
  2. In the client page, navigate to the URIs tab and enter https://oauth.tools/callback/code in the Redirect URI field. Then, select Update to save the changes.
  3. Navigate to the Overview tab, scroll to the bottom and click Try out this client on oauth.tools!. This will redirect you to oauth.tools.
  4. In the Settings box, select the dropdown under "Select or enter a Client ID" and choose your client ID. This automatically fills in the client secret.
  5. Review the scopes to match those in your OIDC client configuration in the Dashboard.
  6. In the Start Flow box, select > Run to start an authentication flow.
Activate an eID

To test an authentication flow, you must have at least one active eID in the Signicat Dashboard. To activate an eID in the Dashboard, navigate to Products > eID Hub > eIDs page.

Now, follow an authentication flow using the test credentials for the eID of choice. For example, you only need an email address to test an Email OTP authentication.

If the authentication is successful, you'll be routed back to oauth.tools, according to the redirect URI (https://oauth.tools/callback/code) you configured in your OIDC client (see step 2 above).

To retrieve the user attributes and review the data, you must first redeem the authorisation code. To do this:

  1. In the oauth.tools website, scroll to the Redeem Authorization Code box (number 3).
  2. Select <> Redeem code to fetch the tokens.
  3. On the right menu, you find the Access Token and the ID token.
  4. To view the decoded payload of the ID token, scroll to the bottom of the right-side menu.
Success!

You have now tested an OIDC authentication flow using your OIDC client. You can explore more flow types and additional OIDC functionality in the https://oauth.tools/ website.

Managing your clients manually

It is also possible to add and manage your clients manually from within the Signicat Playground. To do this:

  1. Go to https://oauth.tools/signicat.
  2. On the left-hand side, right-click the 'Signicat Playground' (SP) symbol and select Settings from the menu.
  3. Click the Clients tab at the top.
  4. Manage your clients as you please.
  5. Close this settings view. The clients are now updated.
Last updated:
On this page