We do not support the OpenID Connect (OIDC) “implicit flow” with client_secret because it is not recommended by the OAuth group for security reasons
Getting started
Choosing an authentication method
Login.gov supports two ways of authenticating clients: private_key_jwt and PKCE.
-
private_key_jwt (preferred for web apps)
The client sends a JSON Web Token, or JWT, signed with a private key (minimum length of 2048 bits) when requesting access tokens. The corresponding public key is registered with the IdP ahead of time, similar to SAML. -
PKCE (preferred for native mobile apps)
Short for Proof Key for Code Exchange by OAuth Public Clients and pronounced “pixy.” In this method, the client sends a public identifier as well as a hashed random value generated by the client.
Unsupported methods
The following implementation methods of OIDC are not supported by Login.gov for security reasons.
- Implicit flow is not recommended by the OAuth group.
- client_secret_param is not supported because it requires managing a shared secret in two places, both the client and the server. Private_key_jwt flow involves sharing public keys with the server and PKCE has a one-time secret.
Set up a Sandbox account
You are able to test authentication methods in real time with a testing account in our sandbox environment. To start, navigate to the Login Partner Dashboard Sandbox and follow the steps below:
- Select the “Sign-in” button to create a new account. Anyone with a .gov or .mil email address may request an account.
- Create a new team - see Testing page for instructions.
- Create a certificate - before creating your application you’ll need to create a certificate that will be used to sign your requests. You can create a certificate using openssl. The example command to create the certificate from your terminal is:
openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt
- Create an application, at which point you will need to decide between private_key_jwt or PKCE.
It is important to note that your Login.gov production account and your Login.gov sandbox account are two separate accounts.
Auto-discovery
Consistent with the specification, Login.gov provides a JSON endpoint for OIDC auto-discovery at
/.well-known/openid-configuration
.
Integration URI:
Production URI:
Example Application
The Login.gov team has created an example client to speed up your development, all open source in the public domain: identity-oidc-sinatra.
Edit this page