We do not support the OpenID Connect “implicit flow” with client_secret because it is not recommended by the OAuth group for security reasons
Choosing an authentication method
Login.gov supports two ways of authenticating clients: private_key_jwt and PKCE.
private_key_jwt (preferred for web apps)
The client sends a JSON Web Token, or JWT, signed with a private key (minimum length of 2048 bits) when requesting access tokens. The corresponding public key is registered with the IdP ahead of time, similar to SAML.
PKCE (preferred for native mobile apps)
Short for Proof Key for Code Exchange by OAuth Public Clients and pronounced “pixy.” In this method, the client sends a public identifier as well as a hashed random value generated by the client.
The following implementation methods of OIDC are not supported by Login.gov for security reasons.
- Implicit flow is not recommended by the OAuth group.
- client_secret_param is not supported because it requires managing a shared secret in two places, both the client and the server. Private_key_jwt flow involves sharing public keys with the server and PKCE has a one-time secret.
Set up a Sandbox account
You are able to test authentication methods in real time with a testing account in our sandbox environment. To start, navigate to the Login Partner Dashboard Sandbox and follow the steps below:
- Select the “Sign-in” button to create a new account. Anyone with a .gov or .mil email address may request an account.
- Create a new team - see Testing page for instructions
- Create a certificate - before creating your application you’ll need to create a certificate that will be used to sign your requests. You can create a certificate using openssl. The example command to create the certificate from your terminal is:
openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt
- Create an application, at which point you will need to decide between private_key_jwt or PKCE
It is important to note that your Login.gov production account and your Login.gov sandbox account are two separate accounts.
Consistent with the specification, Login.gov provides a JSON endpoint for OpenID Connect auto-discovery at
The Login.gov team has created an example client to speed up your development, all open source in the public domain: identity-oidc-sinatra.Edit this page