OIDC Configuration

OpenID Connect (OIDC) is an identity layer on top of OAuth 2.0. It lets client applications verify the identity of end users and obtain basic profile information via ID tokens.

AuthMe implements OIDC 1.0 with support for the Authorization Code flow (with PKCE), Client Credentials flow, and standard Discovery.

Discovery Document

Every realm exposes a standard OIDC Discovery document. Libraries use this URL to automatically configure themselves.

curl https://auth.example.com/realms/my-realm/.well-known/openid-configuration

The document lists the authorization endpoint, token endpoint, JWKS URI, supported scopes, grant types, and more.

Creating an OIDC Client

Follow these steps in the Admin Console:

1. 1

   Open the Admin Console

   Navigate to /console and select your realm.

2. 2

   Create a new Client

   Go to Clients → New Client. Choose OIDC as the protocol.

3. 3

   Set the Client ID

   Use a unique identifier like my-nextjs-app. This goes in your AUTHME_CLIENT_ID env variable.

4. 4

   Configure Redirect URIs

   Add every URL that AuthMe is allowed to redirect to after login, e.g. http://localhost:3000/api/auth/callback/authme.

5. 5

   Copy the Client Secret

   For confidential clients, copy the generated secret and store it in AUTHME_CLIENT_SECRET.

Token Endpoints

Standard Scopes

Testing with curl

Use the Client Credentials flow to quickly test your setup — no browser required.

curl -X POST \
  https://auth.example.com/realms/my-realm/protocol/openid-connect/token \
  -d "grant_type=client_credentials" \
  -d "client_id=my-service" \
  -d "client_secret=YOUR_SECRET"

# Decode the JWT payload (no signature verification)
TOKEN="eyJhbGci..."
echo $TOKEN | cut -d'.' -f2 | base64 -d | jq .

What's Next?