Authenticate users with OpenID Connect (OIDC)

This guide explains how to utilize ZITADEL for user authentication within your applications using OpenID Connect (OIDC). Here, we offer comprehensive guidance on seamlessly integrating ZITADEL's authentication features, ensuring both security and user experience excellence. Throughout this documentation, we'll cover the setup process for ZITADEL authentication, including the recommended OIDC flows tailored to different application types. Additionally, we'll provide clear instructions on securely signing out or logging out users from your application, ensuring data security and user privacy. With our guidance, you'll be equipped to leverage ZITADEL's authentication capabilities effectively, enhancing your application's security posture while delivering a seamless login experience for your users.

📄️ Recommended authorization flows

Introduction

📄️ OIDC Code Flow + PKCE

Overview

📄️ Device Authorization Flow

ZITADEL implements device authorization as per RFC 8628. This document demonstrates its use.

📄️ OpenID Connect Endpoints

OpenID Connect 1.0 Discovery

📄️ Authentication Methods

Client Secret Basic

📄️ Scopes

ZITADEL supports the usage of scopes as way of requesting information from the IAM and also instruct ZITADEL to do certain operations.

📄️ Claims

ZITADEL asserts claims on different places according to the corresponding specifications or project and clients settings.

📄️ Grant Types

For a list of supported or unsupported Grant Types please have a look at the table below.

📄️ OIDC Playground

The OIDC Playground is for testing OpenID Authentication Requests, giving you more insight how OpenID Connect works and how you can customize ZITADEL behavior with different parameters.

📄️ Web Keys

Web Keys in ZITADEL are used to sign and verify JSON Web Tokens (JWT).

📄️ Token Exchange [Beta]

The Token Exchange grant implements RFC 8693, OAuth 2.0 Token Exchange and can be used to exchange tokens to a different scope, audience or subject. Changing the subject of an authenticated token is called impersonation or delegation. This guide will explain how token exchange is implemented inside ZITADEL and gives some usage examples.