oidc
OpenID Connect (OIDC)
The following sections describe how to set up authentication with OIDC. Instructions are generic and agnostic of any programming language. For a more detailed guide with language-specific examples, see the Code examples for OIDC.
To get started with OIDC, follow these steps:
- Register an OIDC client in the Signicat Dashboard
- Find your Discovery and issuer URL
- Build an authentication request
You can find more details about each step below.
1. Register an OIDC client
Before you can start authenticating users, you must register an OIDC client application in the Signicat Dashboard. An OIDC client comes with a Client ID. Depending on the authentication grant type (flow) you want to implement, you may associate a secret to the client.
To register your OIDC client application in the Signicat Dashboard, do the following:
- In the Signicat Dashboard, navigate to Products > eID and Wallet Hub > OIDC clients.
- Select Add client.
- Configure your OIDC client with these settings:
- Primary grant type: Choose the grant type you want to implement. We strongly recommend AuthorizationCode (Authorization Code flow). Learn more about OIDC grant types in the to the OIDC specification and the OAuth 2.0 specification.
- Create client from template: Optional. Allows you to use a template to prefill your client configuration. Skip this if you want to customise your configuration.
- Client name: Enter a name for the client.
- Redirect URI: Enter the URL where you want to redirect your end-user after they authenticate with an eID. Note that you can add several redirect URIs after you create the client.
- Scope: Select the scopes for the type of data you want to retrieve with this client.
openidis mandatory.profileandninare necessary in most cases. You can see the definition ofprofileand other predefined scopes in the OIDC specification. You find scope definitions in the specific eIDs documentation.
- Select Create to create the new client.
Congratulations, you have created an OIDC client!
2. Find your Discovery and issuer URL
Depending on how you want to implement your app, you can find:
- The discovery URL:
https://<YOUR_SIGNICAT_DOMAIN>/auth/open/.well-known/openid-configuration. For example, if your domain ishttps://verybigcorp.signicat.com, your discovery URL ishttps://verybigcorp.signicat.com/auth/open/.well-known/openid-configuration. - The issuer URL:
<YOUR_SIGNICAT_DOMAIN>/auth/open/. For example, your issuer URL would behttps://verybigcorp.signicat.com/auth/open/.
3. Build an authentication request
To start an end-user authentication, your app must direct the end-user to the authorisation endpoint (https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize) with the appropriate set of parameters.
At minimum, an OIDC authorisation request includes:
- client_id: The OIDC client ID of your OIDC client application registered in the Signicat Dashboard
- response_type: The grant type code
- redirect_uri: The URL where to redirect end-users after authentication
- scope: Must include
openidand any additional scopes for attributes supported by an eID - state: A random value to protect against CSRF
- nonce: A random value to protect ID token integrity
Example authentication request (line breaks included for readability):
https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
&client_id=sandbox-example-client-123
&response_type=code
&redirect_uri=https://myservice.example/redirect
&scope=openid
&acr_values=<ACR_VALUES>
&state=af93kslz
&nonce=bn28sjdp
Your next steps depend on the OIDC flow type you want to implement. After the end-user authenticates you can retrieve the results in the ID token and UserInfo endpoints.
Next steps
This guide introduced how the eID and Wallet Hub works in a nutshell. Next, we recommend learning more about OIDC and exploring the eIDs documentation.