Other OIDC Provider

If you are using an OIDC provider other than the ones for which we have a specific guide, follow these general instructions to configure your OIDC provider.

Creating the Client Application

Create a Public OpenID Connect client.
- OpenID Connect clients may also be referred to as OIDC clients or OAuth clients.
- The technical term for a public OIDC client is Authorization Code Flow + PKCE.
- If provided with the option, disable client credentials—you do not need to provide a client secret to oidc-spa.
- Some providers will ask you to select an application type and choose between Single Page Application (SPA), Web Application (or Web Server App), and Mobile App. Select SPA.
- You may need to explicitly provide a Client ID, or it may be generated automatically. This is the clientId parameter required by oidc-spa.
Valid Redirect URIs: https://my-app.com/ and http://localhost:5173/
- The trailing slash (/) is important.
- If your app is hosted on a subpath (e.g., /dashboard), set: https://my-app.com/dashboard/ and http://localhost:5173/dashboard/
- Port 5173 is the default for the Vite dev server; adjust as needed for your setup.
Valid Post-Logout Redirect URIs: Use the same values as the Valid Redirect URIs.
Web Origins: https://my-app.com, http://localhost:5173

How Do I Find the `issuerUri`?

The issuer URI is not always clearly documented—it depends on the provider.

If you are given a Discovery URL like:

https://XXX/.well-known/openid-configuration

Then your issuerUri is:

https://XXX

If you suspect a URL might be the issuer URI but are unsure, append /.well-known/openid-configuration to it and open it in a web browser. If it returns a JSON response, then you have found your issuer URI!

Scopes and Audience

Some OIDC providers require the client (oidc-spa) to explicitly request a specific scope or audience to issue a JWT access token. Unfortunately, the configuration varies significantly between providers.

For example:

Auth0 requires you to "Create an API" and specify an audience.
Microsoft Entra ID requires you to "register an application" and specify a scope.

PreviousGoogle OAuth 2.0 NextWhy No Client Secret?

Last updated 18 days ago

Was this helpful?

Creating the Client Application

Create a Public OpenID Connect client.

OpenID Connect clients may also be referred to as OIDC clients or OAuth clients.
The technical term for a public OIDC client is Authorization Code Flow + PKCE.
If provided with the option, disable client credentials—you do not need to provide a client secret to oidc-spa.
Some providers will ask you to select an application type and choose between Single Page Application (SPA), Web Application (or Web Server App), and Mobile App. Select SPA.
You may need to explicitly provide a Client ID, or it may be generated automatically. This is the clientId parameter required by oidc-spa.

Valid Redirect URIs: https://my-app.com/ and http://localhost:5173/

The trailing slash (/) is important.
If your app is hosted on a subpath (e.g., /dashboard), set: https://my-app.com/dashboard/ and http://localhost:5173/dashboard/
Port 5173 is the default for the Vite dev server; adjust as needed for your setup.

Valid Post-Logout Redirect URIs: Use the same values as the Valid Redirect URIs.

Web Origins: https://my-app.com, http://localhost:5173

How Do I Find the issuerUri?

The issuer URI is not always clearly documented—it depends on the provider.

If you are given a Discovery URL like:

https://XXX/.well-known/openid-configuration

Then your issuerUri is:

https://XXX

Scopes and Audience

For example:

Creating the Client Application

How Do I Find the issuerUri?

Scopes and Audience

Creating the Client Application

How Do I Find the issuerUri?

Scopes and Audience

How Do I Find the `issuerUri`?

How Do I Find the `issuerUri`?