Configuring Frontegg as OIDC IDP for 3rd party services

Hosted login with OpenID Connect (OIDC) is a secure and flexible authentication and authorization protocol that allows organizations to delegate their user authentication to a trusted identity provider (IdP). OIDC is built atop OAuth 2.0, providing additional identity verification and access control features.

The following topic will walk you through configuring your Frontegg environment as an IDP for a third-party service.

🚧

Prerequisites:

This capability is fully supported via Frontegg Hosted Login. If you are using Frontegg's Embedded Login, then Social and SSO login methods will not redirect the end user to the 3rd party application out of the box.

Use Cases

Since OpenID Connect (OIDC) streamlines user authentication across various platforms, you can leverage its benefits in multiple ways, for example:

Unified Identity for Documentation and Support Portals

OIDC allows users to access documentation and support portals via the same user identity. This unified login process eliminates the need for multiple credentials, simplifying access and improving the user experience across these essential resources.

Shared Identity Across Applications

For organizations offering multiple applications, OIDC enables a single identity to be used across all platforms. This integration facilitates seamless navigation and interaction with different applications, reducing login fatigue and promoting user engagement.

Internal Applications with Shared Identity

OIDC also benefits internal operations by allowing the same identity to be used across various internal applications. This approach streamlines employee access to intranets, HR systems, and other internal tools, simplifying credential management and enhancing security.

Implementing OIDC (Walkthrough)

For the sake of our tutorial, we will use OIDC playgroup as our 3rd party service. The OIDC playground is a great tool to test and debug your OIDC flows.

Note that Frontegg implements OIDC (OpenID Connect) by default as part of its hosted login offering.

Getting started
Go to Authentication -> Login Method, and under your Hosted Login configuration, ensure that:

• Hosted login is enabled
• The redirectUrl of the service provider (in this example https://openidconnect.net/callback) is added within the allowed redirect URLs.

Getting Frontegg URLs

The OpenID Connect endpoints can be found under Environments ➜ [NAME OF ENVIRONMENT] ➜ Authentication ➜ SSO ➜ Identity Provider ➜ OpenID Connect Endpoints:

If you have configured a custom domain on the environment, you can utilize it within the endpoints instead of the Frontegg domain:

O

Client ID and Client Secret

When configuring Frontegg as your OpenID Connect identity provider, you will need to fill-in your Client ID and Client Secret fileds:

In general, the Client ID and Client Secret values are the Client ID and API key values that you can find in your environment under Env settings, as in the screenshot below:

When providing the Cliend ID and Client Secret for your third-party configuration, you have two options. If you have a single application, the fields from your Env settings will be the values you must provide. If you have multiple applications, then you must configure the connection for a specific application. In that case, go to your Applications tab and fetch the ID and API key of the specific app, like so:

📘

Token validation

After running the flow on your 3rd party client and obtaining your Frontegg id_token, the JWT should be validated with a jwks and result in a valid user response.