# Custom OIDC auth

OIDC authentication is a viable choice when using an external authentication provider such as Auth0 or Cognito that offers JWK publication for token authenticity verification.

An OIDC authentication framework employs a public-private key pair, utilizing the private key to sign authentication tokens. The public key is made accessible via a public URL in JWKS format, typically found at `https://{domain}.com/.well-known/jwks.json`. When a user logs in, an idToken (a JWT) is produced and signed with the private key, following OIDC specifications for token field requirements. This JWT is then used within the private key to create a user wallet.

The verification of the JWT against the public key confirms its authenticity, allowing wallet generation based on the subject (user identifier) within the idToken.

## Input requirements

* **JWKS File URL (public key):** Validates the token's authentic signature
* **idToken's `aud` value:** Confirms that the intended recipient of the token is correct

:::danger
From the JWT token, Openfort extracts the `sub` field, which is used as the user identifier for `externalUserId`. Ensure that, across your `test` and `live` environments, different users cannot get the same `sub` value. This is crucial for maintaining unique user identification.
:::

## Authenticating users with OIDC-compatible authentication

### Set up your provider

To set up your OIDC Authentication with Openfort, visit your [dashboard provider settings](https://dashboard.openfort.io/providers).

<div align="center">
  <img width="70%" height="70%" src="https://www.openfort.io/images/blog/oidc_auth_314e50f269.png?updated_at=2024-03-20T23:54:03.814Z" alt="OIDC provider configuration in Openfort dashboard" />
</div>