## Generic OIDC IDP

### Prerequisites

- OIDC-compliant identity provider
- Access to IDP admin console
- IDP supports OpenID Connect Discovery


### Configuration Steps

#### Step 1: Verify OIDC Discovery Endpoint

Most OIDC providers expose a discovery document at:


```
https://[IDP-DOMAIN]/.well-known/openid-configuration
```

1. Access this URL in browser or via curl:

```bash
curl https://[IDP-DOMAIN]/.well-known/openid-configuration
```
2. Verify response contains required endpoints:
  - `authorization_endpoint`
  - `token_endpoint`
  - `userinfo_endpoint`
  - `jwks_uri`
  - *Screenshot location: Browser showing JSON response or terminal output*


#### Step 2: Select or Create OAuth Client in Your IDP

Steps vary by provider, but generally:

1. Access your IDP's admin console
2. Navigate to OAuth/OIDC client registration section
  - Common paths:
    - "Applications" or "Clients"
    - "OAuth 2.0" or "OpenID Connect"
    - "API" or "Integrations"
  - *Screenshot location: IDP admin console navigation*
3. **If you have an existing client**: Click on it to open settings, then skip to Step 3
  - **If creating new**: Create new client/application:
    - **Client name**: "Frontegg AgentLink"
    - **Client type**: `Confidential` or `Web Application`
    - **Grant types**:
      - Authorization Code
      - Refresh Token
    - *Screenshot location: Create client form*


#### Step 3: Configure Redirect URIs

1. In client settings, locate redirect URI configuration field
  - Common field names:
    - "Redirect URIs"
    - "Callback URLs"
    - "Authorized redirect URIs"
  - *Screenshot location: Client configuration page*
2. Add (or append to existing) Frontegg redirect URL:

```
https://[YOUR-FRONTEGG-DOMAIN]/oauth/callback
```
3. Add additional URIs if required:
  - **Post-logout redirect**: `https://[YOUR-FRONTEGG-DOMAIN]/logout`
  - **Origin URL**: `https://[YOUR-FRONTEGG-DOMAIN]`


#### Step 4: Configure Scopes

1. Locate scope configuration in client settings
  - *Screenshot location: Client scopes or permissions section*
2. Ensure these standard OIDC scopes are enabled:
  - `openid` (required)
  - `profile`
  - `email`
3. Add any additional custom scopes required by your implementation


#### Step 5: Obtain Client Credentials

1. After client creation, locate credentials section
  - Common section names:
    - "Credentials"
    - "Client Secrets"
    - "Keys & Secrets"
  - *Screenshot location: Client detail page*
2. Copy **Client ID** (often displayed prominently)
  - Format varies: UUID, alphanumeric string, or custom format
3. Generate or reveal **Client Secret**:
  - Some IDPs auto-generate on creation
  - Others require clicking "Generate Secret" or "Show Secret"
  - **CRITICAL**: Copy immediately - often shown only once
  - *Screenshot location: Credentials section with secret revealed*


#### Step 6: Identify Issuer URL

The issuer URL is used by Frontegg to discover all endpoints. Find it via:

**Option A: From Discovery Document**


```json
{
  "issuer": "https://[IDP-DOMAIN]",
  ...
}
```

**Option B: From IDP Documentation**

- Check provider's OIDC/OAuth documentation
- Look for "Issuer" or "Authority" configuration


**Option C: Common Patterns**

- Standard: `https://[IDP-DOMAIN]`
- With path: `https://[IDP-DOMAIN]/oauth2`
- Multi-tenant: `https://[IDP-DOMAIN]/[tenant-id]`


#### Step 7: Verify Token Endpoint Authentication

1. In client configuration, locate **Token Endpoint Authentication Method**
  - *Screenshot location: Advanced settings or authentication section*
2. Recommended value: `client_secret_post` or `client_secret_basic`
3. Ensure it matches Frontegg's expected method


#### Configuration Values for Frontegg


```yaml
provider: generic-oidc
issuer_url: [from Step 6]
client_id: [from Step 5]
client_secret: [from Step 5]
```