Learn

Try it Out

Before we connect to the OIDC Bridge, let's test the OpenID Provider configuration. This comprises three steps:

  • Step 1: Authenticate with your OpenID Provider

  • Step 2: Request an ID Token

  • Step 3: Verify the ID Token Includes appended Metadata

Step 1: Authenticate with your OpenID Provider

In a new browser window, navigate to the /authorize endpoint for your OpenID Provider instance using the following OIDC query parameters:

http
Copy to clipboard.
1https://[OpenID_Provider_Tenant]/authorize
2?scope=openid%20profile
3&response_type=code
4&client_id=<your_client_id>
5&state=xqw2Lcafhx0NIoX0
6&nonce=kjfhuo34hPxksklj
7&prompt=login
8&redirect_uri=https://example.com/callback

  • Use the URL of the authorization endpoint defined in your OpenID Provider /.well-known/openid-configuration.

  • Use the client_id of your OpenID Provider application.

  • Use the value you added in the allowed callback (e.g https://example.com/callback) as the redirect_uri.

  • The values in scope, response_type, state, nonce, prompt are all required and can be used as per the following example:

This should direct you to our OpenID Provider login screen:

https://www.datocms-assets.com/38428/1621224642-auth0-login-500xauto.webp?auto=format

Authenticate using any existing user.

As we've used an example callback URL, the redirect will terminate, however you can still retrieve the code parameter from the query parameter:

http
Copy to clipboard.
1https://example.com/callback?code=oLxCRk2oPgfR8QU3&state=xqw2Lcafhx0NIoX0https://example.com/callback?code=oLxCRk2oPgfR8QU3&state=xqw2Lcafhx0NIoX0

This code is only valid for several minutes, so proceed with the following steps quickly.

Step 2: Request an ID Token

Make the following request to the /token endpoint of your OpenID Provider tenant:

Request

shell
Copy to clipboard.
1curl --request POST \
2  --url https://auth0-tenant.au.auth0.com/oauth/token \
3  --header 'Content-Type: application/json' \
4  --header 'Authorization: Basic dkowU0NLY2hyNFhqQzB4SE5FOERrSDZQbWxnMmxrQ046UU53ZmE0WWk0SW05enkxdV8xNW43U3pXS3QtOUc1Y2RIMHIxYk9OUnBVUGZOLVVJUmFhWHZfOTB6OFY2LU9qSA==' \
5  --data-raw '{
6    "grant_type": "authorization_code",
7    "code": "oLxCRk2oPgfR8QU3",
8    "redirect_uri" : "https://example.com/callback"
9}'

  • Use your OpenID Provider tenant client_id and client_secret to create an authorization header encoded with Base64. The string should be formatted as client_id:client_secret prior to being encoded. You can use any encoding tool, for example base64url.

  • Use grant_type as authorization_code

  • Use the code value obtained in step 1 above.

  • Use the same redirect_uri used in step 1 above.

Response

json
Copy to clipboard.
1 {
2    "access_token": "-vtm3ahlh9k_V2uDjnZ5r2MPbKRaHpA1",
3    "id_token":  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJUVXdOVEpCTXpJNFJUTTNNVGt4TURnNU5EVTJRamRETlRVNVJrWTNNamMyTTBWRU1FVkJPUSJ9.eyJodHRwczovL215dGVuYW50Lm1hdHRyLmdsb2JhbC90cmFpbmluZ0NlcnQiOiJQYXNzZWQgQSsiLCJuaWNrbmFtZSI6Im1lIiwibmFtZSI6Im1lQGVtYWlsLmNvbSIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci84ZjlkYzA0ZTZhYmRjYzlmZWE1M2U4MTk0NWM3Mjk0Yj9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRm1lLnBuZyIsInVwZGF0ZWRfYXQiOiIyMDIwLTA0LTMwVDA3OjUxOjA4Ljk0MloiLCJpc3MiOiJodHRwczovL2Rldi1yb2w0d29hby5hdS5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWU2NmVjZjZlNWNjZjUwY2QwMDNmZjIwIiwiYXVkIjoidkowU0NLY2hyNFhqQzB4SE5FOERrSDZQbWxnMmxrQ04iLCJpYXQiOjE1ODgyMzQwNzEsImV4cCI6MTU4ODI3MDA3MX0.KLrMUoqz5mrvNQQ3K09eFijVg3qkmT17R_zOUvVhtfC8LvUWaBYpszQ7j3x3zCZ1TsS4ATS68kcxLfSbq7A71atYVzwjKvGwGce9IjH7cRKyIO8Z1RAcSCw7ncXBOzT_O20sH3BV_ZgPHEJA2PreKQERKjcKSCHJeRaPyqVbh2v2lSHYCm6e8HdB8v_Zq0looLvxS5afQ8PMn3k36COo13F4zvLuUn9is--B-SRUqUjSX6-KOvULa1HXbQVnO6RUNiijQSbN-ZLA_6TRQC8BKoT3-8v1cLSb49sZOXGSBHkkNHGBhMXeJuw4iD8IjYQWpcXlVRQHuCQwFgSHxdez9w",
4    "scope": "openid profile",
5    "expires_in": 86400,
6    "token_type": "Bearer"
7}

The response includes the access_token and id_token for this interaction.

Step 3: Verify the ID Token Includes appended Metadata

Copy the id_token value from the step 2 response and paste it into a tool like jwt.io to decode the payload. You should get something similar to the following example:

json
Copy to clipboard.
1{
2    "https://YOUR_TENANT_SUBDOMAIN.vii.mattr.global/educationalCredentialAwarded": "Certificate Name",
3    "nickname": "me",
4    "name": "My Full Name",
5    "updated_at": "2020-04-30T07:51:08.942Z",
6    "iss": "https://dev-rol4woao.au.auth0.com/",
7    "sub": "auth0|5e66ecf6e5ccf50cd003ff20",
8    "aud": "vJ0SCKchr4XjC0xHNE8DkH6Pmlg2lkCN",
9    "iat": 1588234071,
10    "exp": 1588270071,
11    "auth_time": 1606723358,
12    "nonce": "kjfhuo34hPxksklj"
13}

  • Any default claims associated with the scopes provided and any fully name-spaced claims - these will be used for setting up your claim mappings.

  • The sub value will be used for issuing the credential.

  • The nonce value matches that which was provided in the original request.

What's Next?

If your test was successful, you can continue to setup an OIDC Issuer.