Configuring Frontegg as OIDC IDP for 3rd party services

This capability is fully supported if you are using Frontegg Hosted Login

Hosted login with OpenID Connect (OIDC) is a secure and flexible authentication and authorization protocol that allows organizations to delegate their user authentication to a trusted identity provider (IdP). OIDC is built atop OAuth 2.0, providing additional identity verification and access control features.

The following topic will walk you through configuring your Frontegg environment as an IDP for a third-party service.

🚧

Prerequisites:

This capability is fully supported via Frontegg Hosted Login. If you are using Frontegg's Embedded Login, then Social and SSO login methods will not redirect the end user to the 3rd party application out of the box.

Use cases

Since OpenID Connect (OIDC) streamlines user authentication across various platforms, you can leverage its benefits in multiple ways, for example:

Unified Identity for Documentation and Support Portals

OIDC allows users to access documentation and support portals via the same user identity. This unified login process eliminates the need for multiple credentials, simplifying access and improving the user experience across these essential resources.

Shared Identity Across Applications

For organizations offering multiple applications, OIDC enables a single identity to be used across all platforms. This integration facilitates seamless navigation and interaction with different applications, reducing login fatigue and promoting user engagement.

Internal Applications with Shared Identity

OIDC also benefits internal operations by allowing the same identity to be used across various internal applications. This approach streamlines employee access to intranets, HR systems, and other internal tools, simplifying credential management and enhancing security.

Implementing OIDC

For the sake of our tutorial, we will use the OIDC playgroup as our 3rd party service. The OIDC playground is a great tool to test and debug your OIDC flows.

Note that Frontegg implements OIDC (OpenID Connect) by default as part of its hosted login offering.

Setting your login method

Go to Authentication -> Login Method, and under your Hosted Login configuration, ensure that:

  • Hosted login is enabled.
  • The redirectUrl of the service provider (in this example https://openidconnect.net/callback) is added within the allowed redirect URLs.

OpenID Connect endpoints

The OpenID Connect endpoints are located under Environments ➜ [NAME OF ENVIRONMENT] ➜ Authentication ➜ SSO ➜ Identity Provider ➜ OpenID Connect Endpoints:

If you configured a custom domain for the environment you are using, then you can use it as your endpoint instead of the Frontegg domain:


Client ID and Client Secret

When configuring Frontegg as your OpenID Connect identity provider, you will also need to complete your Client ID and Client Secret fields:

In general, the Client ID and Client Secret values are the Client ID and API key located under your environment's Env settings, as in the screenshot below:

When providing the Cliend ID and Client Secret for your third-party configuration, you have two options. In case you have a single application, the values you should use for the fields are taken from your Env settings. If you have multiple applications, then you must configure the connection for a specific application. In that case, go to your Applications tab and fetch the ID and API key of that specific app, like so:


📘

Token validation

After running the flow on your 3rd party client and obtaining your Frontegg id_token, the JWT should be validated with a jwks and result in a valid user response.