{
    "componentChunkName": "component---src-templates-article-page-template-js",
    "path": "/how-to/enable-open-id-connect-login/",
    "result": {"data":{"markdownRemark":{"frontmatter":{"title":"Enable OpenID Connect login","slug":"enable-open-id-connect-login","updated":"2021-02-03T00:00:00.000Z","category":"how-to-users-and-authentication","ingress":"In this guide we'll take at how to use an OpenID Connect login solution with a Flex marketplace.","skills":null},"htmlAst":{"type":"root","children":[{"type":"element","tagName":"h2","properties":{"id":"openid-connect","style":"position:relative;"},"children":[{"type":"element","tagName":"a","properties":{"href":"#openid-connect","ariaLabel":"openid connect permalink","className":["anchor","before"]},"children":[{"type":"element","tagName":"svg","properties":{"ariaHidden":"true","focusable":"false","height":"16","version":"1.1","viewBox":"0 0 16 16","width":"16"},"children":[{"type":"element","tagName":"path","properties":{"fillRule":"evenodd","d":"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"},"children":[]}]}]},{"type":"text","value":"OpenID Connect"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"a","properties":{"href":"https://openid.net/specs/openid-connect-core-1_0.html","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"text","value":"OpenID Connect"}]},{"type":"text","value":"\nis a specification built on OAuth2 that describes how a user\nauthenticated at an identity provider can be authorized to resources in\nanother service. This how-to guide assumes that you already have an\nOpenID Connect solution available and intend to use that as a login\noption in your Flex marketplace."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"info","properties":{},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"Apple Sign-in has several features that resemble the OpenID Connect\nspecification. However, the Apple Sign-in implementation has some\ndifferences to the Open ID Connect spec that render it not fully\ncompliant."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"One feature that our Flex developers have discovered is that the\n"},{"type":"element","tagName":"i","properties":{},"children":[{"type":"text","value":"email_verified"}]},{"type":"text","value":" claim is returned as string from Apple, whereas\nthe\n"},{"type":"element","tagName":"a","properties":{"href":"https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims"},"children":[{"type":"text","value":"Open\nID Connect spec"}]},{"type":"text","value":" determines that it needs to be boolean. This means\nthat simply integrating Apple Sign-in as an Open ID Connect IdP in Flex\nis not possible. Instead, you will need to use the\n"},{"type":"element","tagName":"a","properties":{"href":"/docs/how-to/setup-open-id-connect-proxy/"},"children":[{"type":"text","value":"OIDC proxy"}]},{"type":"text","value":"\napproach to integrate Apple Sign-in into your marketplace."}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"h2","properties":{"id":"identity-provider-requirements","style":"position:relative;"},"children":[{"type":"element","tagName":"a","properties":{"href":"#identity-provider-requirements","ariaLabel":"identity provider requirements permalink","className":["anchor","before"]},"children":[{"type":"element","tagName":"svg","properties":{"ariaHidden":"true","focusable":"false","height":"16","version":"1.1","viewBox":"0 0 16 16","width":"16"},"children":[{"type":"element","tagName":"path","properties":{"fillRule":"evenodd","d":"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"},"children":[]}]}]},{"type":"text","value":"Identity provider requirements"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"h3","properties":{"id":"discovery-document-and-json-web-keys","style":"position:relative;"},"children":[{"type":"element","tagName":"a","properties":{"href":"#discovery-document-and-json-web-keys","ariaLabel":"discovery document and json web keys permalink","className":["anchor","before"]},"children":[{"type":"element","tagName":"svg","properties":{"ariaHidden":"true","focusable":"false","height":"16","version":"1.1","viewBox":"0 0 16 16","width":"16"},"children":[{"type":"element","tagName":"path","properties":{"fillRule":"evenodd","d":"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"},"children":[]}]}]},{"type":"text","value":"Discovery document and JSON Web keys"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"All identity providers should provide an\n"},{"type":"element","tagName":"a","properties":{"href":"https://openid.net/specs/openid-connect-discovery-1_0.html","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"text","value":"OpenID Connect discovery document"}]},{"type":"text","value":".\nThe document has to define a "},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"jwks_uri"}]},{"type":"text","value":" attribute which denotes the\nlocation of public signing keys used by the identity provider. The\nsigning keys should be served in the "},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"jwks_uri"}]},{"type":"text","value":" location in\n"},{"type":"element","tagName":"a","properties":{"href":"https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"text","value":"JSON Web Key Set format"}]},{"type":"text","value":"."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"h3","properties":{"id":"signing-algorithms","style":"position:relative;"},"children":[{"type":"element","tagName":"a","properties":{"href":"#signing-algorithms","ariaLabel":"signing algorithms permalink","className":["anchor","before"]},"children":[{"type":"element","tagName":"svg","properties":{"ariaHidden":"true","focusable":"false","height":"16","version":"1.1","viewBox":"0 0 16 16","width":"16"},"children":[{"type":"element","tagName":"path","properties":{"fillRule":"evenodd","d":"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"},"children":[]}]}]},{"type":"text","value":"Signing algorithms"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"Flex only supports ID tokens signed with asymmetric RS256 signing\nalgorithm. The identity provider should provide public signing keys as\nmentioned above."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"h3","properties":{"id":"rotating-signing-keys","style":"position:relative;"},"children":[{"type":"element","tagName":"a","properties":{"href":"#rotating-signing-keys","ariaLabel":"rotating signing keys permalink","className":["anchor","before"]},"children":[{"type":"element","tagName":"svg","properties":{"ariaHidden":"true","focusable":"false","height":"16","version":"1.1","viewBox":"0 0 16 16","width":"16"},"children":[{"type":"element","tagName":"path","properties":{"fillRule":"evenodd","d":"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"},"children":[]}]}]},{"type":"text","value":"Rotating signing keys"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"Flex relies heavily on the "},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"kid"}]},{"type":"text","value":" attribute of a JSON Web Key when\ncaching signing keys. We advise that every OpenID Connect identity\nprovider includes the "},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"kid"}]},{"type":"text","value":" attribute in signing keys and in ID token\nheader. Especially, when signing keys are rotated, it is critical to\nhave the "},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"kid"}]},{"type":"text","value":" attribute in JWKs and a corresponding "},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"kid"}]},{"type":"text","value":" header in the\nID token."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"h2","properties":{"id":"configure-an-identity-provider-client-in-console","style":"position:relative;"},"children":[{"type":"element","tagName":"a","properties":{"href":"#configure-an-identity-provider-client-in-console","ariaLabel":"configure an identity provider client in console permalink","className":["anchor","before"]},"children":[{"type":"element","tagName":"svg","properties":{"ariaHidden":"true","focusable":"false","height":"16","version":"1.1","viewBox":"0 0 16 16","width":"16"},"children":[{"type":"element","tagName":"path","properties":{"fillRule":"evenodd","d":"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"},"children":[]}]}]},{"type":"text","value":"Configure an identity provider client in Console"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"To take an OpenID Connect identity provider into use with Flex, you will\nneed to configure a new identity provider and an accompanying identity\nprovider client in Flex Console."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"ol","properties":{},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"text","value":"Go to the "},{"type":"element","tagName":"a","properties":{"href":""},"children":[{"type":"text","value":"Social logins & SSO"}]},{"type":"text","value":" page in Console and click \"+ Add\nnew\" to add a new identity provider client."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"text","value":"Fill in a name for the client."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"text","value":"In the identity provider dropdown, select \"+ Add a new identity\nprovider...\""}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"span","properties":{"className":["gatsby-resp-image-wrapper"],"style":"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 547px; "},"children":[{"type":"text","value":"\n      "},{"type":"element","tagName":"a","properties":{"className":["gatsby-resp-image-link"],"href":"/docs/legacy/static/735143dc52a37476816996bfff853378/d486e/oidc-client-1.png","style":"display: block","target":"_blank","rel":["noopener"]},"children":[{"type":"text","value":"\n    "},{"type":"element","tagName":"span","properties":{"className":["gatsby-resp-image-background-image"],"style":"padding-bottom: 94.9685534591195%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAACU0lEQVQ4y62UWU4bQRCGff8TEAk/kDvYJiAc2yIQrkCwZ188m2dz9+x/VDUD2NigPKSlT1XV6v67eqkejcdjPDw8YLFYYLFYYrlcsn31l8vVYD+Hxj4+/sbV1XeM5vM5/ld7enrCaDa75mC/30NVVURRhCAIYNs28jxH27ao6xpN07xR181RXJYla1C2o+vrHxwIIbBer+H7PqPrOgt+1bquY5qm5Xi1Wr0L0iqUZVVVkFLyAhSTaBwnbLMsY3ZxzGNeG2V5INhvOU1TPD8/w7IsGIaBzWbDWWqqCsc2YVsmHNtiq6kKHMdBGIa8MGV5kiEJ0iASJEhM1zWYjgc7FDD9FPo2geYmMLwMcZrxnKIo+ZxPBOngabtFWfL2ya+qEmXdQFYdirobLNg/bB+23AsWUiKNE6RJCrkX6JoWLR12131xK71pz11KkqdYuzo2xNbAi60yduIjaQTiKkdc749I2OaQdXkq2LQtGrRo0THdkACtTf0NusGeUp/bMj0L13HgbbdwHRdhECDP8jf2eQ4pxFmKojgVjHc7vlVF2UBVFZimwViWCcsyYNsWgsBHeEgYwPc97KLozBnGMU96efkDyzSx20U9UXTeH4jCkMv1NMM4ZiFFUaBpGtc1+Sox+K7rwvM8eN52wMPWdT8K9pVCpZSmfWnRg+059jOOD/t6hJDvn8NkMh1+G4miqD5FypInClG8xVIWbPNcsMbd3U+Mbm5u//m/q6qGOf5xgKHycH//C6OLi2+4vb3DdDoD/Y1fQedNkD+dvvdPJjPWuLwc4y8Uzos2SwiXdAAAAABJRU5ErkJggg=='); background-size: cover; display: block;"},"children":[]},{"type":"text","value":"\n  "},{"type":"element","tagName":"picture","properties":{},"children":[{"type":"text","value":"\n          "},{"type":"element","tagName":"source","properties":{"srcSet":["/docs/legacy/static/735143dc52a37476816996bfff853378/82e29/oidc-client-1.webp 159w","/docs/legacy/static/735143dc52a37476816996bfff853378/ef33f/oidc-client-1.webp 318w","/docs/legacy/static/735143dc52a37476816996bfff853378/eb001/oidc-client-1.webp 547w"],"sizes":"(max-width: 547px) 100vw, 547px","type":"image/webp"},"children":[]},{"type":"text","value":"\n          "},{"type":"element","tagName":"source","properties":{"srcSet":["/docs/legacy/static/735143dc52a37476816996bfff853378/8b9b5/oidc-client-1.png 159w","/docs/legacy/static/735143dc52a37476816996bfff853378/fa108/oidc-client-1.png 318w","/docs/legacy/static/735143dc52a37476816996bfff853378/d486e/oidc-client-1.png 547w"],"sizes":"(max-width: 547px) 100vw, 547px","type":"image/png"},"children":[]},{"type":"text","value":"\n          "},{"type":"element","tagName":"img","properties":{"className":["gatsby-resp-image-image"],"src":"/docs/legacy/static/735143dc52a37476816996bfff853378/d486e/oidc-client-1.png","alt":"Add OpenID Connect client","title":"Add OpenID Connect client","loading":"lazy","decoding":"async","style":"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;"},"children":[]},{"type":"text","value":"\n        "}]},{"type":"text","value":"\n  "}]},{"type":"text","value":"\n    "}]}]},{"type":"text","value":"\n"},{"type":"element","tagName":"ol","properties":{"start":4},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"text","value":"Fill in information regarding your OpenID Connect identity provider.\nThis is the service that your users authenticate to in order to log\ninto flex.\n"},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"Identity provider name"}]},{"type":"text","value":": A descriptive name for the identity\nprovider that helps you to distinguish it from other providers."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"Identity provider ID"}]},{"type":"text","value":": IdP ID that is passed as a parameter to\nFlex API when authenticating using this client/IdP. It is generated\nbased on the provider name"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"Identity provider URL"}]},{"type":"text","value":": In OpenID Connect terms this is the\n"},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"issuer location"}]},{"type":"text","value":" of the identity provider. It is used to resolve\nID token signing keys used by the identity provider. See below\n"},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"Discovery document and JSON Web keys"}]},{"type":"text","value":" for more details."}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"info","properties":{},"children":[{"type":"text","value":"\nAuth0 requires identity provider URL with a trailing slash, but Flex Console\ndoes not currently allow adding trailing slashes. If you are adding an Auth0 \nintegration, add the URL without the trailing slash, and reach out to Flex \nSupport so we can manually fix the formatting.\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"ol","properties":{"start":5},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"text","value":"Fill in the Client ID. This is the identifier of your Flex\nmarketplace at you identity provider. It will be the "},{"type":"element","tagName":"em","properties":{},"children":[{"type":"text","value":"audience"}]},{"type":"text","value":" of\nthe ID token returned from the identity provider."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"text","value":"If you have multiple clients configured at your identity provider to\nbe used to log into your Flex marketplace, list the additional client\nIDs as trusted client IDs. The idea is, that every client ID that is\nincluded as an audience ("},{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"aud"}]},{"type":"text","value":" claim) in an ID token returned from\nyour identity provider should be included as the client ID or trusted\nclient ID in the client."}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"span","properties":{"className":["gatsby-resp-image-wrapper"],"style":"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 550px; "},"children":[{"type":"text","value":"\n      "},{"type":"element","tagName":"a","properties":{"className":["gatsby-resp-image-link"],"href":"/docs/legacy/static/ad7e26d56ab5b361668c59de2d707100/68f36/oidc-client-2.png","style":"display: block","target":"_blank","rel":["noopener"]},"children":[{"type":"text","value":"\n    "},{"type":"element","tagName":"span","properties":{"className":["gatsby-resp-image-background-image"],"style":"padding-bottom: 174.8427672955975%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAjCAYAAACU9ioYAAAACXBIWXMAAAsTAAALEwEAmpwYAAADoklEQVRIx61W2W7bRhT1F/a9z3lsv6AfULgvaQGjL94COE4B124+IB9QSwESG27Rwq1hUdxEkaK4z8KZ4QlmRNOyRUlNUBIHlxxBZ+6523Bnb+9nfPjwEYPBAIPBsMUAw+Gwxfut0P+5urrG2dmv2Lm4+A3/1/Xx6loTXpgXQgju7u4QhiGCIIBt28iyDEopCCEgpeyF/r2ua8OhlXWEnHM4joM4jg1830dVVRs9aprGQJPqS4eok6y9KIrC7Ka91WRlWZq1NE2R53kHvSGltCPWni4RPkq+vb2F67qwLAuj0chYyxrB9z14nmvgug5G9/eYTCaIoshsqr1cIdQ7apma0PM8I98ajeAHEbwZgROWcMMCVpCb5zRfKGCM90uWShnXTQKUhGpjo20tYSDUI5qlWD6TvCDkjCOJ50jmCbI0g+C1WZNCbsjKwjzzsI0ho7AiF6NQw8H91MbdZAw3mSKTBEldIhXVChJRggq2KJtlD/UuEsps2jxzRK9qyEZCNmoVqkeyLpdpMEUURqa4dWno0mGUgVTE2HWyddxXJAsl4SYTjGeusXbswYoc2LFvQuHOJ8jlQuIy5nWBkpNVybWQKKhCyRpjCW9A6gbVki2oXHQHmq5L9N1bNlwozEuJuBDGpkQZJKVAmNUGSSW6Iu4Im6a/bHQcGCUQNQenFIwQUFL1pGj16i0byhjGngPbczF2bWRlAcIpuBSolewgmqeote3zsJYCMcsxoxnmvEChqEEmqo3QtUgFX02KlkyqCjXjoBVBmRebu2SbZMYYPN+H7ThmZD0Mz+Xgr0NvYWsCXdwaZii0eMjo5yelHV+z2QzBNEAwnZpnvf6k7rZ72BJyBmvmwctCjGMfThLAnk/Me/qsO550iihB1g2H/yLv85LieWas6zOEtGfGFyeF1Rx+GiIs58ZGVWrmYPqldbg4ZwWErDsLtM3fqI1Y08sSs3luECc5krwC5QqsVlvbuf+QkgpJpZBWCjnVzxKzQiDtJsz6GPYSPixu+kJYm5Q+yY9thhX0HXXN0v0ky+fnF+2ZIkwc130UPfS2+XjSHik8op0hv19eYufs7Nx4QQgDpTUY6welHEVRIc0LgAO7o7f4+q+X+OaffXx18z3O4yFuLq+WPdReNGshhDKklT79FLDvvMO3f+/ju39P8eLPPbzL/sDN+2vs7O7+gOPjVzg8PNqKo6Njg4PDI5wenuDNwQlOD07wy8FrvHn1Gi9//AmfADksWKOC++A1AAAAAElFTkSuQmCC'); background-size: cover; display: block;"},"children":[]},{"type":"text","value":"\n  "},{"type":"element","tagName":"picture","properties":{},"children":[{"type":"text","value":"\n          "},{"type":"element","tagName":"source","properties":{"srcSet":["/docs/legacy/static/ad7e26d56ab5b361668c59de2d707100/82e29/oidc-client-2.webp 159w","/docs/legacy/static/ad7e26d56ab5b361668c59de2d707100/ef33f/oidc-client-2.webp 318w","/docs/legacy/static/ad7e26d56ab5b361668c59de2d707100/06e95/oidc-client-2.webp 550w"],"sizes":"(max-width: 550px) 100vw, 550px","type":"image/webp"},"children":[]},{"type":"text","value":"\n          "},{"type":"element","tagName":"source","properties":{"srcSet":["/docs/legacy/static/ad7e26d56ab5b361668c59de2d707100/8b9b5/oidc-client-2.png 159w","/docs/legacy/static/ad7e26d56ab5b361668c59de2d707100/fa108/oidc-client-2.png 318w","/docs/legacy/static/ad7e26d56ab5b361668c59de2d707100/68f36/oidc-client-2.png 550w"],"sizes":"(max-width: 550px) 100vw, 550px","type":"image/png"},"children":[]},{"type":"text","value":"\n          "},{"type":"element","tagName":"img","properties":{"className":["gatsby-resp-image-image"],"src":"/docs/legacy/static/ad7e26d56ab5b361668c59de2d707100/68f36/oidc-client-2.png","alt":"Add OpenID Connect client","title":"Add OpenID Connect client","loading":"lazy","decoding":"async","style":"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;"},"children":[]},{"type":"text","value":"\n        "}]},{"type":"text","value":"\n  "}]},{"type":"text","value":"\n    "}]}]},{"type":"text","value":"\n"},{"type":"element","tagName":"ol","properties":{"start":7},"children":[{"type":"text","value":"\n"},{"type":"element","tagName":"li","properties":{},"children":[{"type":"text","value":"Click \"Add client\" to create the client and identity provider."}]},{"type":"text","value":"\n"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"Now that you have created the identity provider, you can use it if your\nlogin flow requires using another client or if you wish to remove the\nclient you added and create a new one. Just select the identity provider\nfrom the dropdown when creating a new client."}]},{"type":"text","value":"\n"},{"type":"element","tagName":"h2","properties":{"id":"add-openid-connect-login-flow-to-ftw","style":"position:relative;"},"children":[{"type":"element","tagName":"a","properties":{"href":"#add-openid-connect-login-flow-to-ftw","ariaLabel":"add openid connect login flow to ftw permalink","className":["anchor","before"]},"children":[{"type":"element","tagName":"svg","properties":{"ariaHidden":"true","focusable":"false","height":"16","version":"1.1","viewBox":"0 0 16 16","width":"16"},"children":[{"type":"element","tagName":"path","properties":{"fillRule":"evenodd","d":"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"},"children":[]}]}]},{"type":"text","value":"Add OpenID Connect login flow to FTW"}]},{"type":"text","value":"\n"},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"OpenID Connect login flow can be added to FTW in multiple ways. One good\nstarting point is to take a look at OpenID Connect implementations in\n"},{"type":"element","tagName":"a","properties":{"href":"http://www.passportjs.org","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"text","value":"the Passport.js strategies"}]},{"type":"text","value":". Keep in mind\nthat you should get a hold of the ID token that is returned from the\nidentity provider so that you can pass it along to Flex's\n"},{"type":"element","tagName":"a","properties":{"href":"https://www.sharetribe.com/api-reference/authentication.html#issuing-tokens-with-an-identity-provider","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"/auth/auth_with_idp"}]}]},{"type":"text","value":"\nand\n"},{"type":"element","tagName":"a","properties":{"href":"https://www.sharetribe.com/api-reference/marketplace.html#create-user-with-an-identity-provider","target":"_blank","rel":["noopener","noreferrer"]},"children":[{"type":"element","tagName":"code","properties":{},"children":[{"type":"text","value":"current_user/create_with_idp"}]}]},{"type":"text","value":"\nendpoints."}]}],"data":{"quirksMode":false}},"headings":[{"value":"OpenID Connect","depth":2},{"value":"Identity provider requirements","depth":2},{"value":"Discovery document and JSON Web keys","depth":3},{"value":"Signing algorithms","depth":3},{"value":"Rotating signing keys","depth":3},{"value":"Configure an identity provider client in Console","depth":2},{"value":"Add OpenID Connect login flow to FTW","depth":2}]}},"pageContext":{"slug":"enable-open-id-connect-login","category":"how-to-users-and-authentication"}},
    "staticQueryHashes": ["3794076007","439097193","717698143"]}