reclaimID / IdPs

For IdPs


Step 1: OpenID Service

As an identity provider and credential issuer, you need to setup an OpenID Connect server. There are many servers out there. For a list of servers, check out the OpenID website. One important caveat is that the server should allow you to issue user information inside the signed "ID Token". The configuration regarding what user information goes into the token is of course completely under your discretion.

Step 2: Configuring the reclaimID client

reclaimID uses special client values which must be registered at the OpenID server. The values are:

Step 3: Configuring a webfinger

You must support the webfinger-based OpenID Connect service discovery. Whenever the user configures an email address for an identity, reclaimID will try to discover the issuing identity provider through the OIDC Discovery protocol. This includes a request to the authority part of the email address. The response should point reclaimID to the actual OpenID Connect service serving the issuer medatata. reclaimID will try to request all scopes which are listed in the metadata, but does not expect all of them to be granted.