Step 1: OpenID Service
As an identity provider and credential issuer, you need to setup an OpenID Connect server. There are many servers out there. For a list of servers, check out the OpenID website
One important caveat is that the server should allow you to issue user information inside the signed "ID Token".
The configuration regarding what user information goes into the token is of course completely under your discretion.
Step 2: Configuring the reclaimID client
reclaimID uses special client values which must be registered at the OpenID server. The values are:
- Client ID: reclaimid
- Client secret: none (public client)
- Redirect URI: https://ui.reclaim
- Grant type: Authorization code
- PKCE: enabled (Optional but highly recommended)
Step 3: Configuring a webfinger
You must support the webfinger-based OpenID Connect service discovery
Whenever the user configures an email address for an identity, reclaimID will try to discover the issuing identity provider through the OIDC Discovery protocol. This includes a request to the authority part of the email address
The response should point reclaimID to the actual OpenID Connect service serving the issuer medatata
. reclaimID will try to request all scopes which are listed in the metadata, but does not expect all of them to be granted.