All Products
Search

This Product

    Identity as a Service:OIDC SSO configuration

    Document Center

    Identity as a Service:OIDC SSO configuration

    Last Updated:Sep 12, 2025

    This document uses the OpenID Connect (OIDC) protocol as an example to explain how to configure single sign-on (SSO).

    Note

    For more information about the SSO protocols that IDaaS supports, see Standard protocols.

    IDaaS support for OIDC grant types

    You can select one or more of the following grant types:

    Pattern

    Description

    Client mode

    client_credentials

    The client credentials grant type allows an application to use its client_id and client_secret to obtain a server token from IDaaS. This token is used to call the Developer APIs that IDaaS exposes for the application.

    You do not need to select this grant type. It is enabled if API access for the application is enabled.

    Authorization code

    authorization_code

    This is the most common logon mode for OIDC applications in IDaaS. The application delegates logon to IDaaS and parses the id_token that IDaaS returns to complete the logon verification.

    Refresh token

    refresh_token

    Supports using a refresh_token to refresh an access_token to extend the session validity. This is typically used with the Authorization code grant type.

    Device

    device

    The device grant type is often used for integrating non-B/S architecture applications. When a device cannot directly display the IDaaS logon page, it allows the user to use a browser to help complete the logon flow.

    For standard web applications, select the Authorization code and Refresh token grant types.

    For applications that are not web-based, select the Device and Refresh token grant types.

    Note

    IDaaS does not currently support other OIDC grant types. If you need another grant type, you can submit a request. We will schedule its implementation based on priority.

    IDaaS-side configuration

    Field

    Description

    Example

    Basic configuration (required)

    Authorization mode

    Select the pattern for the application.

    Multiple selection: Authorization code

    Multiple selection: Refresh token

    Logon

    Redirect URIs

    A whitelist of redirect URIs. When an application requests to log on, it includes a redirect_uri parameter. This value must be in the whitelist for IDaaS to redirect after authentication is complete.

    http://www.example.com/oidc/sso

    http://www.example.com/oidc/sso2

    Authorization scope

    For more information, see SSO overview.

    Select: All users can access

    Advanced configuration (optional)

    User information scope

    scopes

    The logged-on user's information that can be obtained from the user information endpoint after logon.

    • openid

    • email

    • phone

    • profile

    Multiple selection: openid

    Multiple selection: email

    Multiple selection: profile

    PKCE

    This option is available when the Authorization code grant type is selected. When enabled, the Authorization code grant type uses the more secure Proof Key for Code Exchange (PKCE) extension flow.

    Disabled by default

    code validity period

    1. The code is used to exchange for a token. Set its validity period appropriately. You can configure the period in seconds or minutes.

    2. Rules:

      • Minimum value: Must be at least 60 seconds (1 minute).

      • Maximum value: Must not exceed 30 minutes (1800 seconds).

    3. Input format and default handling:

      The input must be a positive integer. The system automatically validates the value and adjusts it if it is out of range based on the selected unit:

      • If the unit is minutes:

        • If the input value is less than 5, it is automatically set to 5 minutes.

        • If the input value is greater than 30, it is automatically set to 30 minutes.

      • If the unit is seconds:

        • If the input value is less than 60, it is automatically set to 60 seconds.

        • If the input value is greater than 1800, it is automatically set to 1800 seconds.

    • If the unit is minutes:

      Input: 3. Effective value: 5 minutes.

      Input: 40. Effective value: 30 minutes.

    • If the unit is seconds:

      Input: 30. Effective value: 60 seconds.

      Input: 2000. Effective value: 1800 seconds.

    Code Challenge

    method

    This option is available after you enable PKCE. It specifies the generation method for the Code Challenge in the PKCE extension. This field is not displayed if PKCE is disabled.

    -

    access_token

    validity period

    The access_token is used to call IDaaS APIs. The default validity period is 2 hours. After it expires, you must use a refresh_token to get a new one, or log on again.

    2 hours

    id_token

    validity period

    The id_token is used to identify the user. It is in JSON Web Token (JWT) format and allows the application to verify the user's identity with a public key. After it expires, you must use a refresh_token to get a new one, or log on again.

    10 hours

    refresh_token

    validity period

    Used to obtain a new access_token and id_token. After the refresh_token expires, the user must log on again.

    30 days

    Extend id_token

    fields

    You can extend the payload field in the id_token to return basic, non-sensitive user information. This avoids repeated calls to the user information endpoint. For more information, see OIDC id_token extension value specifications.

    Note

    Fields added to the payload are publicly visible. Use this feature as needed.

    -

    id_token

    signature algorithm

    The asymmetric algorithm used to sign the id_token. Currently, only the RSA-SHA256 algorithm is supported.

    RSA-SHA256

    SSO initiator

    Specifies whether user access is initiated by the application or can also be initiated from the portal.

    Application-initiated only

    Logon initiation URL

    If SSO initiator is set to support portal and application initiation, you can enter a logon initiation URL. This is the application URL that IDaaS calls to initiate an SSO request. When this URL receives the request, it must immediately redirect to the IDaaS /authorize endpoint.

    -

    Application-side configuration

    The OIDC protocol enables applications to complete the entire logon and authentication flow using a series of standard interfaces that IDaaS provides.

    The following table describes these interfaces:

    Field name

    Description

    Example

    Issuer

    A field in the id_token that marks the token's source. It is also the base URL for the following endpoints.

    https://xxxxx.aliyunidaas.com.cn/oidc1

    Discovery endpoint

    Discovery

    Used to obtain information about the endpoints, modes, and parameters that IDaaS supports. This endpoint is publicly accessible.

    https://xxxxx.aliyunidaas.com.cn/oidc1/.well-known/openid-configuration

    Authorization endpoint

    Authorization

    The address where the application initiates an SSO logon.

    https://xxxxx.aliyunidaas.com.cn/oidc/authorize

    Token endpoint

    token

    During the SSO flow, after the application obtains an authorization code, the backend calls the token endpoint.

    https://xxxxx.aliyunidaas.com.cn/oidc/token

    Public key endpoint for signature verification

    JWKS

    The public key endpoint used to verify the id_token and complete the SSO flow. The public key does not support rotation.

    https://xxxxx.aliyunidaas.com.cn/oidc1/jwks

    Userinfo endpoint

    Userinfo

    After logon, use this endpoint with an access_token to get basic user information.

    https://xxxxx.aliyunidaas.com.cn/oidc1/userinfo

    End session endpoint

    SLO

    Logs the user off from the main IDaaS logon session.

    https://xxxxx.aliyunidaas.com.cn/oidc1/logout