Try it Out

Before we connect to the OIDC Bridge, let's test the OpenID Provider configuration. This comprises three steps:

  • Step 1: Authenticate with your OpenID Provider

  • Step 2: Request an ID Token

  • Step 3: Verify the ID Token Includes appended Metadata

Step 1: Authenticate with your OpenID Provider

In a new browser window, navigate to the /authorize endpoint for your OpenID Provider instance using the following OIDC query parameters:

Copy to clipboard.
  • Use the URL of the authorization endpoint defined in your OpenID Provider /.well-known/openid-configuration.

  • Use the client_id of your OpenID Provider application.

  • Use the value you added in the allowed callback (e.g as the redirect_uri.

  • The values in scope, response_type, state, nonce, prompt are all required and can be used as per the following example:

This should direct you to our OpenID Provider login screen:

Authenticate using any existing user.

As we've used an example callback URL, the redirect will terminate, however you can still retrieve the code parameter from the query parameter:

Copy to clipboard.

This code is only valid for several minutes, so proceed with the following steps quickly.

Step 2: Request an ID Token

Make the following request to the /token endpoint of your OpenID Provider tenant:


Copy to clipboard.
1curl --request POST \
2  --url \
3  --header 'Content-Type: application/json' \
4  --header 'Authorization: Basic dkowU0NLY2hyNFhqQzB4SE5FOERrSDZQbWxnMmxrQ046UU53ZmE0WWk0SW05enkxdV8xNW43U3pXS3QtOUc1Y2RIMHIxYk9OUnBVUGZOLVVJUmFhWHZfOTB6OFY2LU9qSA==' \
5  --data-raw '{
6    "grant_type": "authorization_code",
7    "code": "oLxCRk2oPgfR8QU3",
8    "redirect_uri" : ""
  • Use your OpenID Provider tenant client_id and client_secret to create an authorization header encoded with Base64. The string should be formatted as client_id:client_secret prior to being encoded. You can use any encoding tool, for example base64url.

  • Use grant_type as authorization_code

  • Use the code value obtained in step 1 above.

  • Use the same redirect_uri used in step 1 above.


Copy to clipboard.
1 {
2    "access_token": "-vtm3ahlh9k_V2uDjnZ5r2MPbKRaHpA1",
3    "id_token":  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJUVXdOVEpCTXpJNFJUTTNNVGt4TURnNU5EVTJRamRETlRVNVJrWTNNamMyTTBWRU1FVkJPUSJ9.eyJodHRwczovL215dGVuYW50Lm1hdHRyLmdsb2JhbC90cmFpbmluZ0NlcnQiOiJQYXNzZWQgQSsiLCJuaWNrbmFtZSI6Im1lIiwibmFtZSI6Im1lQGVtYWlsLmNvbSIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci84ZjlkYzA0ZTZhYmRjYzlmZWE1M2U4MTk0NWM3Mjk0Yj9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRm1lLnBuZyIsInVwZGF0ZWRfYXQiOiIyMDIwLTA0LTMwVDA3OjUxOjA4Ljk0MloiLCJpc3MiOiJodHRwczovL2Rldi1yb2w0d29hby5hdS5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWU2NmVjZjZlNWNjZjUwY2QwMDNmZjIwIiwiYXVkIjoidkowU0NLY2hyNFhqQzB4SE5FOERrSDZQbWxnMmxrQ04iLCJpYXQiOjE1ODgyMzQwNzEsImV4cCI6MTU4ODI3MDA3MX0.KLrMUoqz5mrvNQQ3K09eFijVg3qkmT17R_zOUvVhtfC8LvUWaBYpszQ7j3x3zCZ1TsS4ATS68kcxLfSbq7A71atYVzwjKvGwGce9IjH7cRKyIO8Z1RAcSCw7ncXBOzT_O20sH3BV_ZgPHEJA2PreKQERKjcKSCHJeRaPyqVbh2v2lSHYCm6e8HdB8v_Zq0looLvxS5afQ8PMn3k36COo13F4zvLuUn9is--B-SRUqUjSX6-KOvULa1HXbQVnO6RUNiijQSbN-ZLA_6TRQC8BKoT3-8v1cLSb49sZOXGSBHkkNHGBhMXeJuw4iD8IjYQWpcXlVRQHuCQwFgSHxdez9w",
4    "scope": "openid profile",
5    "expires_in": 86400,
6    "token_type": "Bearer"

The response includes the access_token and id_token for this interaction.

Step 3: Verify the ID Token Includes appended Metadata

Copy the id_token value from the step 2 response and paste it into a tool like to decode the payload. You should get something similar to the following example:

Copy to clipboard.
2    "": "Certificate Name",
3    "nickname": "me",
4    "name": "My Full Name",
5    "updated_at": "2020-04-30T07:51:08.942Z",
6    "iss": "",
7    "sub": "auth0|5e66ecf6e5ccf50cd003ff20",
8    "aud": "vJ0SCKchr4XjC0xHNE8DkH6Pmlg2lkCN",
9    "iat": 1588234071,
10    "exp": 1588270071,
11    "auth_time": 1606723358,
12    "nonce": "kjfhuo34hPxksklj"
  • Any default claims associated with the scopes provided and any fully name-spaced claims - these will be used for setting up your claim mappings.

  • The sub value will be used for issuing the credential.

  • The nonce value matches that which was provided in the original request.

What's Next?

If your test was successful, you can continue to setup an OIDC Issuer.