Use this topic to configure single sign-on (SSO) for your application using the OpenID Connect (OIDC) protocol. It covers how to select a grant type for your application type, complete the IDaaS-side configuration, and obtain the endpoints your application needs to initiate and complete the SSO flow.
For the full list of SSO protocols that IDaaS supports, see Standard protocols.
Prerequisites
Before you begin, make sure you have:
An IDaaS instance with an application created
Access to the IDaaS console to configure the application
Select a grant type
Start by identifying your application type, then select the corresponding grant types.
| Application type | Recommended grant types |
|---|---|
| Standard web application | Authorization Code + Refresh Token |
| Non-browser device (TV, CLI, IoT) | Device Authorization Grant + Refresh Token |
The following table describes each grant type:
| Grant type | Description |
|---|---|
Authorization Code (authorization_code) | The most common logon mode. The application delegates authentication to IDaaS and parses the returned id_token to complete logon verification. |
Refresh Token (refresh_token) | Refreshes an access_token to extend session validity. Use alongside Authorization Code or Device Authorization Grant. |
Device Authorization Grant (device) | For non-browser applications. When a device cannot display the IDaaS logon page directly, it lets users complete logon through a separate browser session. |
Client Credentials (client_credentials) | Allows an application to use its client_id and client_secret to get a server token for calling IDaaS Developer APIs. Enabled automatically when API access is turned on — no manual selection needed. |
IDaaS does not currently support other OIDC grant types. To request additional grant types, submit a request. Requests are scheduled based on priority.
IDaaS-side configuration
Basic configuration (required)
| Field | Description | Example |
|---|---|---|
| Authorization mode | Select the grant type(s) for your application. | Authorization Code, Refresh Token |
| Logon Redirect URIs | An allowlist of redirect URIs. The redirect_uri in each authentication request must match an entry in this list. | http://www.example.com/oidc/sso |
| Authorization scope | Controls which users can access the application. See SSO overview. | All users can access |
Advanced configuration (optional)
| Field | Description | Example |
|---|---|---|
User information scope (scopes) | The user attributes available from the UserInfo endpoint after logon. Supported values: openid, email, phone, profile. | openid, email, profile |
| PKCE | Available when Authorization Code is selected. Enables the Proof Key for Code Exchange (PKCE) extension for a more secure authorization flow. Disabled by default. | Disabled |
| `code` validity period | The period during which an authorization code can be exchanged for tokens. Accepts a positive integer in seconds or minutes. Min: 60 seconds. Max: 30 minutes (1,800 seconds). Values outside this range are adjusted automatically. | 5 minutes |
| Code Challenge method | Specifies how the PKCE Code Challenge is generated. Displayed only when PKCE is enabled. | — |
| `access_token` validity period | The token used to call IDaaS APIs. Default: 2 hours. After expiry, use a refresh token to get a new one, or log on again. | 2 hours |
| `id_token` validity period | The token used to identify the user. In JSON Web Token (JWT) format; verified using a public key. Default: 10 hours. After expiry, use a refresh token to get a new one, or log on again. | 10 hours |
| `refresh_token` validity period | Used to obtain new access_token and id_token values. After expiry, the user must log on again. Default: 30 days. | 30 days |
| Extend `id_token` fields | Adds basic, non-sensitive user attributes to the id_token payload, reducing repeated calls to the UserInfo endpoint. All fields added to the payload are publicly visible — only include attributes appropriate for public exposure. See OIDC id_token extension value specifications. | — |
| `id_token` signature algorithm | The asymmetric algorithm used to sign the id_token. Only RSA-SHA256 is supported. | RSA-SHA256 |
| SSO initiator | Controls whether logon can only be initiated by the application, or also from the IDaaS portal. | Application-initiated only |
| Logon initiation URL | Available when SSO initiator supports both portal and application initiation. The application URL that IDaaS calls to start an SSO request. Upon receiving the request, this URL must immediately redirect to the IDaaS /authorize endpoint. | — |
code validity period: auto-adjustment behavior
If the input value falls outside the allowed range, IDaaS adjusts it automatically:
| Unit | Input | Effective value |
|---|---|---|
| Minutes | 3 | 5 minutes (minimum) |
| Minutes | 40 | 30 minutes (maximum) |
| Seconds | 30 | 60 seconds (minimum) |
| Seconds | 2000 | 1,800 seconds (maximum) |
Application-side configuration
If your OIDC client supports the Discovery protocol, start with the Discovery endpoint — your client retrieves all other endpoint URLs from it automatically. Configure individual endpoints manually only if your client does not support OIDC Discovery.
| Endpoint | Description | Example URL |
|---|---|---|
| Issuer | Identifies the token source and serves as the base URL for all endpoints. | https://xxxxx.aliyunidaas.com.cn/oidc1 |
| Discovery endpoint | Returns endpoint URLs, supported grant types, and other metadata. Publicly accessible. Point your OIDC client here to auto-configure all other endpoints. | https://xxxxx.aliyunidaas.com.cn/oidc1/.well-known/openid-configuration |
| Authorization endpoint | The address your application redirects users to for logon. | https://xxxxx.aliyunidaas.com.cn/oidc/authorize |
| Token endpoint | Called by your backend to exchange an authorization code for tokens. | https://xxxxx.aliyunidaas.com.cn/oidc/token |
| JWKS endpoint | Provides the public keys used to verify the id_token signature. Public key rotation is not supported. | https://xxxxx.aliyunidaas.com.cn/oidc1/jwks |
| UserInfo endpoint | Returns basic user attributes when called with a valid access_token. | https://xxxxx.aliyunidaas.com.cn/oidc1/userinfo |
| End session endpoint (SLO) | Logs the user out of the IDaaS main session. | https://xxxxx.aliyunidaas.com.cn/oidc1/logout |
What's next
Standard protocols — explore other SSO protocols supported by IDaaS
OIDC id_token extension value specifications — customize the id_token payload
SSO overview — understand authorization scope options