Per idPs
Step 1: OpenID Service
As an identity provider and credential issuer, you need to setup an OpenID Connect server. There are many servers out there. For a list of servers, check out the
OpenID website.
One important caveat is that the server should allow you to issue user information inside the signed "ID Token".
The configuration regarding what user information goes into the token is of course completely under your discretion.
Step 2: Configuring the reclaimID client
reclaimID uses special client values which must be registered at the OpenID server. The values are:
- Client ID: reclaimid
- Client secret: none (public client)
- Redirect URI: https://ui.reclaim
- Grant type: Authorization code
- PKCE: enabled (Optional but highly recommended)
Step 3: Configuring a webfinger
You must support the webfinger-based
OpenID Connect service discovery.
Whenever the user configures an email address for an identity, reclaimID will try to discover the issuing identity provider through the OIDC Discovery protocol. This includes a
request to the authority part of the email address.
The response should point reclaimID to the actual OpenID Connect service
serving the issuer medatata. reclaimID will try to request all scopes which are listed in the metadata, but does not expect all of them to be granted.