Home

Documentation

Documentation

Step 1: User Authentication (SSO)

Authenticate the user with the Identity Provider (IDP) via Single Sign-On to obtain an ID Token.

Prerequisite

You need a registered client before this step. If you haven't registered yet, see Register Your App. You'll need your client_id, client_secret, and a registered redirect_uri.

Authorization request

First, redirect the user to the IDP's authorization endpoint:

http
ParameterRequiredDescription
client_idYesYour registered client ID
response_typeYesMust be code for authorization code flow
scopeYesSpace-separated scopes (must include openid)
redirect_uriYesMust match registered redirect URI
stateRecommendedRandom value to prevent CSRF attacks
code_challengeRecommendedPKCE challenge (SHA256 hash of verifier)
code_challenge_methodRecommendedMust be S256 when using PKCE

Using oidc-client-ts (Recommended)

Token response

After successful authentication, you'll receive:

JSON

ID Token claims

The ID Token is a JWT containing user information:

JSON
ClaimDescription
issIDP URL
subUnique user identifier
audYour client ID
expExpiration time
iatIssued at time
emailUser's email address
nameUser's display name
The ID Token is used in the next step (Token Exchange) to obtain an ID-JAG. Store it securely and never expose it in URLs or server logs.

Error handling

ErrorCauseFix
unauthorized_clientClient ID not registeredVerify client ID in registration
invalid_requestMissing or invalid parameterCheck all required parameters
access_deniedUser denied consentHandle gracefully, allow retry
invalid_grantCode expired or already usedRestart auth flow

Security considerations

  1. Use PKCE: Always include code_challenge and code_challenge_method=S256 in authorization requests, even for confidential clients.
  2. Validate state: Compare the state parameter in the callback against the value you sent to prevent CSRF attacks.
  3. Short-lived ID Tokens: ID Tokens expire in ~10 minutes. Exchange them promptly in Step 2; do not cache or store them long-term.
  4. Secure storage: Store tokens in memory or secure session storage. Never expose them in URLs or server logs.

Next step

Once you have the ID Token, proceed to Step 2: Token Exchange to exchange it for an ID-JAG.

XAA
xaa.dev

Social

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein.

Presented byOkta Developer

Copyright © 2026 Okta. All rights reserved.