Implicit Flow
Deprecation Notice
There is a more recent version of this OpenId Connect API available. Learn more.
This endpoint will be removed from service on April 20th 2021.
Use this API to authenticate a user as part of the OpenID Connect Implicit Flow and generate an ID Token
for the user.
For more detail about the Implicit Flow see our Developer Overview for OpenID Connect.
Resource URL
https://<region>.onelogin.com/oidc/auth?client_id=<client id>&redirect_uri=<redirect uri>&response_type=id_token&scope=openid
Resource Parameter
region required integer |
Set to the e.g. |
Request Parameter
region required string |
Set to the
https://openid-connect-eu.onelogin.com/oidc
|
redirect_uri required string |
The redirect uri that is registered with OneLogin for this OpenId Connect app. Note that there is a 10 minute delay when updating the allowed redirect_uri list via the admin portal. |
response_type required string |
Set to “id_token token” |
scope required string |
Requires at least “openid”. Add “profile” and/or “groups” to get additional user information returned in the |
nonce required string |
A secure random string that is used by the OpenID provider to protect against replay attacks. It will be returned as part of the JWT ID Token and should be used to validate the authenticity of the token. |
state string |
A random string that is returned on success and can be used to verify the call and protect against cross site scripting attacks. |
acr_values string |
If this optional parameter is set to |
prompt string |
Optional. If used must be set to one of the following:
|
login_hint string |
Optional. Set this to the user’s username or email to prepopulate the username field of the OneLogin login screen. |
Sample Response
- 302 Redirect
- 400 Bad Request
- 401 Unauthorized
If the request parameters are valid a 302 redirect will occur to the registered redirect_uri
with the following query parameters appended.
Success - Providing the id_token
is validated
#id_token=xxxxxx.xxxxxxxxxxxx.xxxxxxxxxx&state=aff55f6cf1d50e75988db51fe7746546
Error - Invalid Response Type
?error=unsupported_response_type&error_description=response_type%20not%20supported
Error - Missing the scope parameter
?error=invalid_request&error_description=missing%20required%20parameter(s)%20scope
Error - Prompt=none and the user was not authenticated
?error=login_required&error_description=End-User%20authentication%20is%20required
Missing the nonce
{
"error": "invalid_request",
"error_description": "missing required parameter(s). (nonce)"
}
Missing the redirect_uri
{
"error": "invalid_request",
"error_description": "missing required parameter(s). (redirect_uri)"
}
Invalid redirect_uri
{
"error": "redirect_uri_mismatch",
"error_description": "redirect_uri did not match any client's registered redirect_uri"
}
Invalid client_id
{
"error": "invalid_client",
"error_description": "client is invalid",
"state": "61c07cd68b0c65a0e9a35bf6c4f472f4"
}
Response Elements
id_token |
A JWT containing user information and nonce for validation |
state |
The state parameter provided in the initial request to help prevent cross site scripting attacks |
ID Token Sample
{
"sub": "35666371",
"email": "styler@onelogin.com",
"preferred_username": "sally",
"name": "Sally Tyler",
"updated_at": "2018-04-12T21:55:56Z",
"given_name": "Sally",
"family_name": "Tyler",
"groups": [
"Admin Role",
"User Role",
"Custom Roll"
],
"acr": "onelogin:nist:level:1:re-auth",
"at_hash": "UnQAjiMVu7OhJYPHRNbhQA",
"rt_hash": "ZUK9M1zLqc4O1XIGVZ8cng",
"aud": "78d1d040-20c9-0136-5146-067351775fae92920",
"exp": 1523577359,
"iat": 1523570159,
"iss": "https://openid-connect.onelogin.com/oidc"
}
Postman Collection
Replace sample variables indicated by {{ }}
with your actual values.
Download for the OpenId Connect API
Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.
StackOverflow discussions about "[onelogin] openid connect"
-
A: SAML for Native Mobile Apps(Android and IOS)
Answered Apr 02 2018https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …
-
Q: How to use onelogin SSO with AngularJS?
Asked Jun 20 2016After going through their documentation I have few questions: 1> Onelogin is using SAML instead of OpenID Connect. … I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? …
-
A: Does OneLogin support client session management via OIDC?
Answered Nov 16 2018https://openid.net/specs/openid-connect-session-1_0.html: 2.1. … I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …
-
A: How to Validate an Access Token for OAuth2 + PCKE flow
Answered Apr 25 2019,"iss":"https://openid-connect.onelogin.com/oidc","jti":"..." … ,"scope":"openid profile email"} Both the access_token and refresh_token returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token …
-
Q: Python/Django library for registering multiple SSO Identity Providers(OpenID Connect)
Asked Nov 08 2019I'm working on a project written in Python(Django) and i recently added an SSO option for logging in with OneLogin accounts. There's already support for Microsofts Azure SSO from an earlier feature. … I'm looking for a library which can somehow register different identity providers(Microsoft, OneLogin, Facebook, etc...) and then wrap the similar login logic into a single class, which would handle all …

Loading...