Placewise Member IdP
  1. OpenID Connect
Placewise Member IdP
  • Overview
    • Introduction
    • OpenID Connect
      • Overview
      • Issuer and Discovery URL
    • Usage of member tokens
      • Usage of Placewise API in context of member
      • ID token
    • Customizing the experience
      • Configuration of UI, Social Logins and Messages (emails/smses)
      • Optional parameters available during authorization
  • Reference
    • OIDC
      • WellKnown::Jwk
        • index
      • WellKnown::OpenidConfiguration
        • show
      • Authorization
        • create
        • create
      • Token
        • revoke
        • create
      • Session
        • destroy
      • Userinfo
        • show
  1. OpenID Connect

Overview

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that allows applications to verify user identities and obtain basic profile information. This guide will help you integrate OpenID Connect authentication into your application.

What is OpenID Connect?#

OpenID Connect extends OAuth 2.0 by adding an identity layer that provides:
Authentication: Verifying who the user is
User Information: Access to basic profile data
Standardized Claims: Consistent user attributes across providers
ID Tokens: JWT-based tokens containing user identity information

Key Concepts#

Discovery URL#

Following the OpenID Connect standard, we have developed a Discovery endpoint. This endpoint allows to automatically configure most of OIDC-compatible clients and is recommended to be used.
You can find out more about this endpoint here: OpenID Connect Discovery.

Access Token#

Access tokens allows to communicate with MPC API in context of the authenticated user.

ID Token#

A JSON Web Token (JWT) that contains claims about the authenticated user. Unlike OAuth 2.0 access tokens, ID tokens are specifically designed to be consumed by the client application.

Claims#

Pieces of information about the user, such as name or email. Claims are included in ID tokens and can also be retrieved from the UserInfo endpoint.

Scopes#

Permission levels that determine what information your application can access:
openid: Required scope that indicates OIDC usage
offline_access: Special scope that allows your application to obtain a refresh token. This enables your application to maintain access to user data even when the user is not actively using your application.

Security Best Practices#

State Parameter#

Always use a random state parameter to prevent CSRF attacks. Verify it matches when handling the callback.

PKCE (Proof Key for Code Exchange)#

For public clients (mobile apps, SPAs), use PKCE to prevent authorization code interception attacks.
Only supported code challenge method is S256.

Confidential client type#

Make sure to use confidential client (client with secret) when you can store the secret token safely server-side.

Differences between OpenID Connect standard#

End-user consent#

Currently we are assuming that all of applications configured by customers are safe and trusted. End-user consent is automatically skipped in this case.
Modified at 2026-01-15 14:28:41
Previous
Introduction
Next
Issuer and Discovery URL
Built with