Connecting to OpenID Connect Identity ProvidersBeta
Auth0 provides an OpenID Connect connection that enables you to connect to OIDC compliant identity providers.
To create a new OpenID Connect connection, you'll need to complete the following fields:
Connection Name: The logical identifier for your Connection. It cannot be changed and needs to be unique for the tenant.
Issuer URL: The URL where Auth0 can find the OpenID Provider Configuration Document, which should be available in the
/.well-known/openid-configurationendpoint. You can enter the base URL or the full URL. You will see a green checkmark if it can be found at that location, a red mark if it cannot be found, or an error message if the file is found but the required information is not present in the configuration file.
Client ID: The Client ID for the client that is defined in the target identity provider. It's different for each provider, so please check the provider's documentation.
Client Secret: In case the OIDC provider does not support front-channel authentication, Auth0 will prompt for the Client Secret. The client secret is usually available in the OIDC provider client configuration page.
You need to make sure that the Callback URL referenced is added as a valid callback URL in the client application that's referenced with the Client ID specified above. Note that if you are using a Custom Domain, the callback URL should point to it.
Next, you will see a list of your registered applications with the option to enable the new connection for any of them.
That's it! You are now ready to test and start using your connection.
Additional customization options
If you edit the OIDC Connect Connection, you will see additional configuration options:
Display Name: The name that will be used in the Login screen for the New Universal Login Experience to identify the connection. In the Classic Universal Login Experience, the connection name will be used instead.
Icon URL: The icon that will be used in the Login screen for the New Universal Login Experience to identify the connection. In the Classic Universal Login Experience, a default icon will be used.
Type: Determines what ODIC options will be used when authenticating with the OIDC provider. You could need to adjust it if the ODIC metadata claims to support both but a specific client only supports Back Channel.
- Front Channel: Auth0 will use
response_type=id_token. It's the preferred one as it does not require a client secret.
- Back Channel: Auth0 will use the authorization code flow with
- Front Channel: Auth0 will use
IdP Domains: The list of email domains that can be authenticated in the Identity Provider. This is only applicable when using Identifier First authentication in the Classic Universal Login Experience.
Scopes: The list of OAuth scopes that will be requested when connecting to the identity provider. This will affect the data stored in the user profile. You are required to include at least the 'openid' scope. Note that the connection does not call
/userinfoendpoint and expects the user claims to be present in the
Manually configuring Issuer metadata
If you click
Show Issuer Details you can see the data returned by the Issuer URL endpoint and adjust it in case you need to.
Federating with Auth0
The OpenID Connect connection is very useful when federating to another Auth0 tenant. Just enter your Auth0 tenant URL in the 'Issuer' field (such as
https://<tenant>.auth0.com), and the Client ID for any application in that tenant in the 'Client ID' field.
Configuring the connection using the Management API
The examples below show can you can configure the connection by either providing a metadata URI or by setting the OIDC URLs explicitly.
Using Front Channel with discovery endpoint
Using Back Channel with discovery endpoint
Using Front Channel specifying issuer settings
Using Back Channel specifying issuer settings
While in Beta, we'll be answering questions and receiving feedback in our Community Section for the OIDC Connection Beta Program.