Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( Https ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

We do not support the OpenID Connect (OIDC) “implicit flow” with client_secret because it is not recommended by the OAuth group for security reasons

Getting started

Choosing an authentication method

Login.gov supports two ways of authenticating clients: private_key_jwt and PKCE.

  • private_key_jwt (preferred for web apps)
    The client sends a JSON Web Token, or JWT, signed with a private key (minimum length of 2048 bits) when requesting access tokens. The corresponding public key is registered with the IdP ahead of time, similar to SAML.

  • PKCE (preferred for native mobile apps)
    Short for Proof Key for Code Exchange by OAuth Public Clients and pronounced “pixy.” In this method, the client sends a public identifier as well as a hashed random value generated by the client.

Unsupported methods

The following implementation methods of OIDC are not supported by Login.gov for security reasons.

  • Implicit flow is not recommended by the OAuth group.
  • client_secret_param is not supported because it requires managing a shared secret in two places, both the client and the server. Private_key_jwt flow involves sharing public keys with the server and PKCE has a one-time secret.

Set up a Sandbox account

You are able to test authentication methods in real time with a testing account in our sandbox environment. To start, follow the steps in the Using the sandbox section to create your Login.gov sandbox account, your Team in the Partner Portal, and your app within your Team.

If you chose to integrate your app using the OIDC private_key_jwt protocol, you will need to create a private key that will be used to sign your request to our token endpoint, and a corresponding public certificate that you will upload to your app in the Partner Portal. Login.gov will use your public certificate to verify the signature in your request.

More details on how to create this public/private keypair are available in the Creating a public certificate section of our Testing documentation.

Auto-discovery

Consistent with the specification, Login.gov provides a JSON endpoint for OIDC auto-discovery at
/.well-known/openid-configuration.

Integration URI:

Production URI:

Example Application

The Login.gov team has created an example client to speed up your development, all open source in the public domain: identity-oidc-sinatra.

Next step: Authorization

Edit this page
Return to top