Use SecureAuth as an OpenID Connect (OIDC) Provider

This guide walks you through configuring SecureAuth as an OIDC-compliant Identity Provider (OP).

What is OpenID Connect?

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. It lets applications verify who a user is and fetch basic profile data using a signed ID Token, without the application handling passwords directly or building its own login system.

OIDC is the default choice for modern auth integrations:

Standardized. Every major language and framework has mature libraries for validating ID Tokens.
Works for first-party apps too. Not just for "Sign in with Google" scenarios. Teams increasingly use OIDC for their own consumer apps, internal tools, and B2B portals because it centralizes authentication, enables single sign-on across a product suite, and keeps business logic out of the auth path.
Composable. The same flow supports SSO, multi-factor authentication, and social login without changing the client.

SecureAuth runs as an OIDC-compliant OpenID Provider (OP), issuing ID and Access Tokens that any standard OIDC client can consume.

Authorization Code flow with PKCE

1. Register an OIDC Client

Go to Tenant Settings → Applications
Click Add Application
Choose client type (Confidential or Public), application type (Web, SPA, or Native), and set redirect URI.
Enable Authorization Code grant and add scopes like openid, profile, email.

2. Connect Identity Sources

Let users authenticate through:

3. Redirect to Authorize Endpoint

Construct the following URL to initiate login:

https://{tenant-domain}/{workspace}/oauth2/authorize?
client_id={CLIENT_ID}&response_type=code&
redirect_uri={REDIRECT_URI}&scope=openid profile email&
state={STATE}&code_challenge={PKCE_CHALLENGE}&code_challenge_method=S256

4. Exchange Code for Tokens

Send a POST request to the token endpoint:

POST https://{tenant-domain}/system/oauth2/token
Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code&
    client_id={CLIENT_ID}&
    client_secret={CLIENT_SECRET}&
    code={AUTH_CODE}&
    redirect_uri={REDIRECT_URI}&
    code_verifier={PKCE_VERIFIER}

5. Validate the ID Token

Use a JWT library to validate:

iss, aud, and exp claims
signature using JWKS from the metadata URL

Metadata URL:

https://{tenant-domain}/{workspace}/.well-known/openid-configuration  

6. Customize Claims

Manage token claims

Use SecureAuth as an OpenID Connect (OIDC) Provider

What is OpenID Connect?

Authorization Code flow with PKCE

1. Register an OIDC Client

2. Connect Identity Sources

3. Redirect to Authorize Endpoint

4. Exchange Code for Tokens

5. Validate the ID Token

6. Customize Claims

7. Next Steps

See also

What is OpenID Connect?​

Authorization Code flow with PKCE​

1. Register an OIDC Client​

2. Connect Identity Sources​

3. Redirect to Authorize Endpoint​

4. Exchange Code for Tokens​

5. Validate the ID Token​

6. Customize Claims​

7. Next Steps​

See also​

What is OpenID Connect?

Authorization Code flow with PKCE

1. Register an OIDC Client

2. Connect Identity Sources

3. Redirect to Authorize Endpoint

4. Exchange Code for Tokens

5. Validate the ID Token

6. Customize Claims

7. Next Steps

See also