ContextQMD
Back to Zitadel

ZITADEL OIDC Authentication Request Playground

apps/docs/content/apis/openidoauth/authrequest.mdx

5.0.0-base5.8 KB
Original Source

import { ExternalLink } from "lucide-react";

The OIDC Playground is for testing OpenID Authentication Requests, giving you more insight how OpenID Connect works and how you can customize ZITADEL behavior with different parameters.

An OpenID Connect (OIDC) authentication request is an OAuth 2.0 Authorization Request using additional parameters and scopes to request that the end-user be authenticated by ZITADEL.

<a href="https://zitadel.com/playgrounds/oidc" target="_blank" className="flex items-center gap-2 text-primary hover:underline"> Go to the OIDC Playground <ExternalLink className="h-4 w-4" /> </a>

Why this OIDC playground?

Currently, ZITADEL requires human users to authenticate through the hosted login page. Your application should initiate a login by issuing an authentication request and redirecting the user to the login page. You can customize the behavior of ZITADEL by providing additional parameters and scopes in the request.

This playground should help you to initially craft an authentication request and to explore the behavior of ZITADEL in more depth.

Request parameters explained

Not all request parameters are available in the playground. Please refer to the full documentation of the authorization endpoint.

Your Domain

The <span className="text-yellow-500">Custom Domain</span> to your ZITADEL instance. Use the base-path, the playground will add the required path to the request.

Required Parameters

<p> <span className="text-green-500">Client ID</span> is the resource id of an application. It's the application where you want your users to login. You can find the Client ID in the Console. When using project grants, use the Client ID from the origin organization. </p> <p> <span className="text-blue-500">Redirect URI</span> be one of the pre-configured redirect uris for your application. You must add the redirect uri for your application, else you will receive an error. </p> <p> <span className="text-orange-500">Response Type</span> defines whether a code, id_token token or just id_token will be returned. Most use cases will need code. </p>

More in the <a href="/apis/openidoauth/endpoints#required-request-parameters">documentation</a> about required Parameters.

Authentication methods

Depending on the authentication and authorization flow of your application you might need to append some information to the authentication request.

<span className="text-teal-600">Authentication method</span> "(none) PKCE" is recommended for most application types. The playground appends automatically a code challenge for PKCE flows.

You need to append a "Code Challenge" by providing a random <span className="text-teal-600">Code Verifier</span> that is being hashed and encoded in the request to the token endpoint, please see our guide for more details.

More in the documentation about authentication methods.

Additional Parameters

<div> <span className="text-cyan-500">Prompt</span> defines if and how the user should be prompted on login. For example: <ul> <li> <code>select_account</code>: user is prompted to select one of the existing sessions or create a new one </li> <li> <code>create</code>: present the register form </li> <li> <code>login</code>: requires the user to re-authenticate </li> <li> <code>none</code>: user must be authenticated without interaction, an error is returned otherwise; use for silent-refresh </li> </ul> </div> <p> <span className="text-rose-500">Login hint</span> must be a valid logon name of a user. You can skip the account picker by providing the Login hint. </p>

There are many more additional parameters. Please refer to the documentation about additional parameters.

Standard Scopes

Used to request additional information from ZITADEL. These scopes are defined in the OpenID Connect specification. The openid scope is mandatory.

Not all scopes are available in the playground. Please refer to the full documentation for the exhaustive list of available standard and reserved scopes.

Reserved Scopes

You can request additional information that is specific to ZITADEL or customize the behavior of ZITADEL by including reserved scopes. Please refer to the documentation for a full list of available reserved scopes.

Organization policies and branding

Enforce an organization's policies and branding as well as membership of the user by passing the scope urn:zitadel:iam:org:id:{id} with the required <span className="text-purple-500">Organization ID</span>.

Please refer to the full guide on branding.

Get user metadata

Pass the scope urn:zitadel:iam:user:metadata to request a user's metadata. Please refer to the full guide on user-metadata for further details.

Access core APIs

Calling the core API with the authenticated user, requires that the projectID of ZITADEL is included in the audience claim.

This can be achieved by adding the scope urn:zitadel:iam:org:project:id:zitadel:aud to your applications authorization request.

How to use ZITADEL in your project

Please refer to our guide on how to login users.

OpenID Connect certified libraries should allow you to customize the parameters and define scopes for the authorization request. You can also continue by using one of our example applications.