Configuring Frontegg as OIDC IDP for 3rd party services

Hosted login with OpenID Connect (OIDC) is a secure and flexible authentication and authorization protocol that allows organizations to delegate user authentication to a trusted identity provider (IdP). OIDC builds atop OAuth 2.0, providing additional identity verification and access control features.

The following topic will walk you through the steps of configuring your Frontegg environment as an IDP for a 3rd party service.

🚧

Prerequisites:

This capability is fully supported via Frontegg Hosted Login. If you are using Frontegg's Embedded Login, then Social and SSO login methods will not redirect the end user to the 3rd party application out of the box.

Use Cases

Since OpenID Connect (OIDC) streamlines user authentication across various platforms, you can leverage its benefits in multiple ways, for example:

Unified Identity for Documentation and Support Portals

OIDC allows users to access documentation and support portals via the sameuser identity. This unified login process eliminates the need for multiple credentials, simplifying access and improving the user experience across these essential resources.

Shared Identity Across Applications

For organizations offering multiple applications, OIDC enables a single identity to be used across all platforms. This integration facilitates seamless navigation and interaction with different applications, reducing login fatigue and promoting user engagement.

Internal Applications with Shared Identity

OIDC also benefits internal operations by allowing the same identity to be used across various internal applications. This approach streamlines employee access to intranets, HR systems, and other internal tools, simplifying credential management and enhancing security.

Implementing OIDC (Walkthrough)

For the sake of our tutorial, we will use OIDC playgroup as our 3rd party service. The OIDC playground is a great tool to test and debug your OIDC flows.
Note that Frontegg implements OIDC (OpenID Connect) by default as part of its hosted login offering.

Getting started
Go to Authentication -> Login Method, and under your Hosted Login configuration make sure that:

• Hosted login is enabled
• The redirectUrl of the service provider (in this example https://openidconnect.net/callback) is added under the allowed redirect URLs.

In your service provider, configure the authorization URL and the clientIdof your Frontegg workspace.

📘

How to find my workspace urls

Frontegg implements the OIDC discovery protocol and returns the relevant endpoints to ensure its operation.
The discovery URL will remain https://[your-workspace-url]/.well-known/openid-configuration.

📘

Finding my client ID

Each environment in Frontegg has its own client ID. To obtain your environment client ID and secret, navigate to Environments ➜ [NAME OF ENVIRONMENT] ➜ Env settings ➜ General ➜ General Settings.

On the 3rd party client side, set the authorize endpoint and the token endpoint as well as the clientId and secret respectively (in case PKCE is supported by your 3rd party service, you can omit the secret).

The OpenID Connect endpoints can be found under Environments ➜ [NAME OF ENVIRONMENT] ➜ Authentication ➜ SSO ➜ Identity Provider ➜ OpenID Connect Endpoints:

If you have configured a custom domain on the environment, you can utilize it within the endpoints instead of the Frontegg domain:

After running the flow on your 3rd party client and obtaining your Frontegg id_token, the JWT should be validated with a jwks and result in a valid user response.