OpenID Connect Identity Provider

Overview

Adding a Login button for a third-party OpenID Connect provider to FusionAuth is simple. This guide will walk you through the steps necessary to enable an OpenID Connect login provider.


Each request made to an OpenID Connect identity provider will utilize the PKCE extension. This extension is backwards compatible for identity providers that do not require or support PKCE. See the section below on PKCe for additional detail.


We also provide specific examples for configuring OpenID connect with some providers whose implementation requires unique configuration. If you’d like us to provide additional examples, please open a request on GitHub.


Once you have completed this configuration you will be able to enable the OpenID Connect login button for one or more FusionAuth Applications. Below is an example login page with an OpenID Connect Identity Provider enabled for PiedPiper.

OpenID Connect Login

Create an OpenID Connect Identity Provider

To create an Identity Provider navigate to Settings → Identity Providers and click Add provider and select OpenID Connect from the dialog.

This will take you to the Add OpenID Connect panel, and you’ll fill out the required fields. If you do not know the Client Id and Client secret for this provider you will need to contact the owner of the OpenID Connect provider.

If your OpenID Connect provider has implemented a well-known configuration endpoint, FusionAuth will be able to discover the necessary endpoints when you provide the URL to the provider in the Issuer field. For example, if you enter https://login.piedpiper.com in the Issuer field, FusionAuth will attempt to make a request to https://login.piedpiper.com/.well-known/openid-configuration to retrieve additional configuration. Alternatively you may provide fully qualified URLs for each of the required endpoints, to do this, toggle off the Discover endpoints switch and you will be shown three required fields.

To enable this identity provider for an application, find your application name in the Applications configuration section at the bottom of this panel. You will always see the FusionAuth application, this application represents the FusionAuth user interface. If you wish to be able to log into FusionAuth with this provider you may enable this application.

In the following screenshot you will see that we have enabled this login provider for the Pied Piper application and enabled Create registration. Enabling create registration means that a user does not need to be manually registered for the application prior to using this login provider.

For example, when a new user attempts to log into Pied Piper using this identity provider, if their user does not exist in FusionAuth it will be created dynamically, and if the Create registration toggle has been enabled, the user will also be registered for Pied Piper and assigned any default roles assigned by the application.

If you do not wish to automatically provision a user for this Application when logging in with PiedPiper, leave Create registration off and you will need to manually register a user for this application before they may complete login with this provider.

That’s it, now the Login with PiedPiper button will show up on the login page.

Add OpenID Connect

Form Fields

Id Optional

An optional UUID. When this value is omitted a unique Id will be generated automatically.

Name Required

A unique name to identity the identity provider. This name is for display purposes only and it can be modified later if desired.

Client Id Required

The client Id that will be used during the authentication workflow with this provider. This value will have been provided to you by the owner of the identity provider.

Client authentication method Optional Available since 1.15.3

The client authentication method to use with the OpenID Connect identity provider.

See the OIDC spec concerning Client Authentication for more information.

Client secret Optional

The client secret that will be used during the authentication workflow with this provider. This value will have been provided to you by the owner of the identity provider. This value is required when Client authentication method is not HTTP basic authentication (client_secret_basic) or Request body (client_secret_post).

Redirect URL Read-only Available since 1.6.0

This is the redirect URI you will need to provide to your identity provider.

Discover endpoints

When enabled FusionAuth will attempt to discover the endpoint configuration using the Issuer URL.

For example, if https://login.piedpiper.com is specified as the issuer, the well-known OpenID Connect URL https://piedpiper.com/.well-known/openid-configuration will be queried to discover the well-known endpoints.

When disabled, you may manually enter the required endpoints, this option is helpful if your OpenID Connect provider does not implement the well-known discovery endpoint.

Issuer Required

This is the public URL of the identity provider.

When Discover endpoints is enabled, this field will be required.

Authorization endpoint Required

The public URL of the OpenID Connect authorization endpoint.

When Discover endpoints is disabled, this field will be required.

Token endpoint Required

The public URL of the OpenID Connect token endpoint.

When Discover endpoints is disabled, this field will be required.

Userinfo endpoint Required

The public URL of the OpenID Connect userinfo endpoint.

When Discover endpoints is disabled, this field will be required.

Reconcile lambda Optional

A lambda may be utilized to map custom claims returned from the OpenID Connect provider.

To configure a lambda, navigate to Settings → Lambdas.

Button text Required

The text to be displayed in the button on the login form. This value is defaulted to Login with OpenID Connect but it may be modified to your preference.

Button image Optional

The image to be displayed in the button on the login form. When this value is omitted a default OpenID Connect icon will be displayed on the login button.

Scope Optional

This optional field defines the scope you’re requesting from the user during login. This is an optional field, but it may be required depending upon the OpenID Connect provider you’re using. At a minimum, the provider must return an email address from the Userinfo endpoint.

Managed domains Optional

You may optionally scope this identity provider to one or more managed domains. For example, if you were to use an OpenID Connect identity provider for your employees, you may add your company domain piedpiper.com to this field.

Adding one or more managed domains for this configuration will cause this provider not to be displayed as a button on your login page. Instead of a button the login form will first ask the user for their email address. If the user’s email address matches one of the configured domains the user will then be redirected to this login provider to complete authentication. If the user’s email address does not match one of the configured domains, the user will be prompted for a password and they will be authenticated using FusionAuth.

These configured domains will be used by the Lookup API.

Proof Key for Code Exchange

Available since 1.21.0

Proof Key for Code Exchange, more commonly referred to as PKCE (pronounced pixy) is an extension to the Authorization Code grant. This extension is intended to help secure the code exchange workflow utilized by this OpenID Connect configuration.

This extension is used by default on all OpenID Connect IdP configurations, and it cannot be disabled. The use of this extension is backwards compatible with identity providers that either do not require or support PKCE.

FusionAuth will pass along the required PKCE request parameters to the OpenID Connect identity provider and if the provider supports PKCE, the extension will be utilized, and if it is not supported it will be ignored.