Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( Https ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

We do not support the OpenID Connect (OIDC) “implicit flow” with client_secret because it is not recommended by the OAuth group for security reasons

Getting started

Choosing an authentication method

Login.gov supports two ways of authenticating clients: private_key_jwt and PKCE.

  • private_key_jwt (preferred for web apps)
    The client sends a JSON Web Token, or JWT, signed with a private key (minimum length of 2048 bits) when requesting access tokens. The corresponding public key is registered with the IdP ahead of time, similar to SAML.

  • PKCE (preferred for native mobile apps)
    Short for Proof Key for Code Exchange by OAuth Public Clients and pronounced “pixy.” In this method, the client sends a public identifier as well as a hashed random value generated by the client.

Unsupported methods

The following implementation methods of OIDC are not supported by Login.gov for security reasons.

  • Implicit flow is not recommended by the OAuth group.
  • client_secret_param is not supported because it requires managing a shared secret in two places, both the client and the server. Private_key_jwt flow involves sharing public keys with the server and PKCE has a one-time secret.

Set up a Sandbox account

You are able to test authentication methods in real time with a testing account in our sandbox environment. To start, navigate to the Login Partner Portal Sandbox and follow the steps below:

  • Select the “Sign-in” button to create a new account. Anyone with a .gov or .mil email address may request an account.
  • Create a new team - see Testing page for instructions.
  • Create a certificate - before creating your application you’ll need to create a certificate that will be used to sign your requests. You can create a certificate using openssl. The example command to create the certificate from your terminal is:
    • openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt
  • Create an application, at which point you will need to decide between private_key_jwt or PKCE.

It is important to note that your Login.gov production account and your Login.gov sandbox account are two separate accounts.

Auto-discovery

Consistent with the specification, Login.gov provides a JSON endpoint for OIDC auto-discovery at
/.well-known/openid-configuration.

Integration URI:

Production URI:

Example Application

The Login.gov team has created an example client to speed up your development, all open source in the public domain: identity-oidc-sinatra.

Next step: Authorization

Edit this page
Return to top