Add login with an OpenID Connect identity provider
# Add login with an OpenID Connect identity provider
You can add standard OpenID Connect login to your applications using an external OpenID Connect (OIDC) identity provider (IdP) and enable users to log in to your applications while maintaining their accounts in the external identity providers.
Follow this guide to register an OIDC IdP in Asgardeo and add it to the login flow of your application.
# Register Asgardeo in the IdP
You need to register an OpenID Connect application with the external identity provider. Follow the identity provider's documentation to know how to register an OIDC application.
You can use the following URL as the callbackURL of the application.
Once you register an application, you will receive the following:
- client_id (also known as
- client_secret (also known as
Check the documentation of the OIDC identity provider and get the following endpoints:
- Authorization Endpoint URL
- Token Endpoint URL
- User Info endpoint (optional)
- Logout endpoint (optional)
# Register the OIDC IdP
Now, let's register the OIDC IdP in Asgardeo.
On the Asgardeo console, click Develop > Connections.
Click New Connections and select Standard-Based IdP.
Provide a unique identity provider name, select OpenID Connect, and click Next.
Enter the following details of the external OIDC identity provider and click Next:
Parameter Description Client ID The client ID obtained from the external identity provider. Client secret The client secret obtained from the external identity provider. Authorization endpoint URL The authorization endpoint of the external identity provider. Token endpoint URL The token endpoint of the external identity provider.
(Optional) Provide the mode of certificate configuration.
You can either configure a JWKS endpoint or upload a certificate of the external party. This helps to validate the signature of the assertions sent by the external identity provider.
- JWKS endpoint: The JWKS endpoint of the external identity provider.
- Use PEM certificate : Upload or paste the public certificate of the external identity provider. The certificate should be in PEM format.
If you have certificate in other formats such as `.crt`, `.cer` or `.der`, expand here to see how you can convert them to PEM format using OpenSSL
Convert CRT to PEM
openssl x509 -in cert.crt -out cert.pem1
Convert CER to PEM:
openssl x509 -in cert.cer -out cert.pem1
Convert DER to PEM:
openssl x509 -in cert.der -out cert.pem1
Click Finish to complete the registration.
Once the OIDC identity provider is created, you can configure additional OIDC settings from the Protocol tab.
Asgardeo requests for the openid scope from the external identity provider. If you need more attributes from the external identity provider, you can configure
scope as an additional query param.
For example, you can configure the key as
scope and the value as
openid profile (i.e,
# Enable the OIDC IdP for login
Before you begin
You need to have an application registered in Asgardeo. If you don't already have one, register one of the following application types:
On the Asgardeo console, click Develop > Applications.
Open your application from the list and go to the Sign-in Method tab.
If you haven't already defined a sign-in flow, click Start with Default configuration to get started.
Click Add Authentication on the step, select your OIDC identity provider, and click Add.
# How it works
To provide this login capability, Asgardeo uses the standard OpenID Connect with authorization code flow underneath. For an application, this flow works as follows: