Configuration
/
Authentication
/
Generic OIDC IDP
Last updated

Generic OIDC IDP

Prerequisites

  • OIDC-compliant identity provider
  • Access to IDP admin console
  • IDP supports OpenID Connect Discovery

Configuration Steps

Step 1: Verify OIDC Discovery Endpoint

Most OIDC providers expose a discovery document at:

https://[IDP-DOMAIN]/.well-known/openid-configuration
  1. Access this URL in browser or via curl:
    curl https://[IDP-DOMAIN]/.well-known/openid-configuration
  2. Verify response contains required endpoints:
    • authorization_endpoint
    • token_endpoint
    • userinfo_endpoint
    • jwks_uri
    • Screenshot location: Browser showing JSON response or terminal output

Step 2: Select or Create OAuth Client in Your IDP

Steps vary by provider, but generally:

  1. Access your IDP's admin console
  2. Navigate to OAuth/OIDC client registration section
    • Common paths:
      • "Applications" or "Clients"
      • "OAuth 2.0" or "OpenID Connect"
      • "API" or "Integrations"
    • Screenshot location: IDP admin console navigation
  3. If you have an existing client: Click on it to open settings, then skip to Step 3
    • If creating new: Create new client/application:
      • Client name: "Frontegg AgentLink"
      • Client type: Confidential or Web Application
      • Grant types:
        • Authorization Code
        • Refresh Token
      • Screenshot location: Create client form

Step 3: Configure Redirect URIs

  1. In client settings, locate redirect URI configuration field
    • Common field names:
      • "Redirect URIs"
      • "Callback URLs"
      • "Authorized redirect URIs"
    • Screenshot location: Client configuration page
  2. Add (or append to existing) Frontegg redirect URL:
    https://[YOUR-FRONTEGG-DOMAIN]/oauth/callback
  3. Add additional URIs if required:
    • Post-logout redirect: https://[YOUR-FRONTEGG-DOMAIN]/logout
    • Origin URL: https://[YOUR-FRONTEGG-DOMAIN]

Step 4: Configure Scopes

  1. Locate scope configuration in client settings
    • Screenshot location: Client scopes or permissions section
  2. Ensure these standard OIDC scopes are enabled:
    • openid (required)
    • profile
    • email
  3. Add any additional custom scopes required by your implementation

Step 5: Obtain Client Credentials

  1. After client creation, locate credentials section
    • Common section names:
      • "Credentials"
      • "Client Secrets"
      • "Keys & Secrets"
    • Screenshot location: Client detail page
  2. Copy Client ID (often displayed prominently)
    • Format varies: UUID, alphanumeric string, or custom format
  3. Generate or reveal Client Secret:
    • Some IDPs auto-generate on creation
    • Others require clicking "Generate Secret" or "Show Secret"
    • CRITICAL: Copy immediately - often shown only once
    • Screenshot location: Credentials section with secret revealed

Step 6: Identify Issuer URL

The issuer URL is used by Frontegg to discover all endpoints. Find it via:

Option A: From Discovery Document

{
  "issuer": "https://[IDP-DOMAIN]",
  ...
}

Option B: From IDP Documentation

  • Check provider's OIDC/OAuth documentation
  • Look for "Issuer" or "Authority" configuration

Option C: Common Patterns

  • Standard: https://[IDP-DOMAIN]
  • With path: https://[IDP-DOMAIN]/oauth2
  • Multi-tenant: https://[IDP-DOMAIN]/[tenant-id]

Step 7: Verify Token Endpoint Authentication

  1. In client configuration, locate Token Endpoint Authentication Method
    • Screenshot location: Advanced settings or authentication section
  2. Recommended value: client_secret_post or client_secret_basic
  3. Ensure it matches Frontegg's expected method

Configuration Values for Frontegg

provider: generic-oidc
issuer_url: [from Step 6]
client_id: [from Step 5]
client_secret: [from Step 5]