Custom OIDC compatible Auth

Learn how to setup your custom OIDC compatible auth

OIDC authentication setup is a viable choice when leveraging an external authentication provider such as Auth0, Cognito, etc., that offers JWK publication for token authenticity verification.

An OIDC authentication framework employs a public-private key pair, utilizing the private key to sign authentication tokens. The public key is made accessible via a public URL in JWKS format, typically found at https://{domain}.com/.well-known/jwks.json. When a user logs in, an idToken, a JWT, is produced and signed with the private key, following OIDC specifications for token field requirements. This JWT is then used within the private key to create a user wallet.

The verification of the JWT against the public key confirms its authenticity, allowing wallet generation based on the subject (user identifier) within the idToken.

Input Requirements:

JWKS File URL (public key): Validates the token's authentic signature.
idToken's aud value: Confirms that the intended recipient of the token is correct.

From the JWT token, Openfort extracts the sub field, which is used as the user identifier for externalUserId. Ensure that, across your test and live environments, different users cannot get the same sub value. This is crucial for maintaining unique user identification.

Authenticating Users with OIDC-Compatible Authentication#

Set up your provider#

To set up your OIDC Authentication with Openfort, visit your dashboard provider settings.