Configure an OIDC provider
Reference for every auth.oidcProviders field, its environment variable, default, and the claim contract any OIDC identity provider must satisfy for DALP sign-in.
DALP configures OIDC sign-in through the auth.oidcProviders list in config.yml. The list is provider-neutral: each entry describes one OIDC connection, and any standards-compliant issuer works without provider-specific code. Use this page as the field-by-field reference; for a concrete walkthrough see FusionAuth setup.
Configuration shape
auth:
oidcProviders:
- id: ${OIDC_PROVIDER_ID:-}
displayName: ${OIDC_PROVIDER_DISPLAY_NAME:-}
issuer: ${OIDC_PROVIDER_ISSUER:-}
clientId: ${OIDC_PROVIDER_CLIENT_ID:-}
clientSecret: ${OIDC_PROVIDER_CLIENT_SECRET:-}
adminClaim: ${OIDC_PROVIDER_ADMIN_CLAIM:-}
# scopes: optional; defaults to openid email profile
# requireIssuerValidation: optional; defaults to true
# apiKey + applicationId: optional; enable the OIDC_MFA wallet-signing method
apiKey: ${OIDC_PROVIDER_MFA_API_KEY:-}
applicationId: ${OIDC_PROVIDER_MFA_APPLICATION_ID:-}The ${VAR:-default} syntax reads an environment variable and falls back to the value after :- when the variable is unset or empty. This lets a single committed config.yml carry safe defaults while deployments inject real values through the environment. See Deploy OIDC in production for the Helm and secret-handling model.
Field reference
| Field | Environment variable | Type | Default | Sensitive | Purpose |
|---|---|---|---|---|---|
id | OIDC_PROVIDER_ID | string | "" | No | Stable provider identifier. Used as the sign-in button key and in the callback URL path. |
displayName | OIDC_PROVIDER_DISPLAY_NAME | string | "" | No | Label shown on the sign-in button. Falls back to id when empty. |
issuer | OIDC_PROVIDER_ISSUER | URL | "" | No | OIDC issuer base URL. Discovery is fetched from ${issuer}/.well-known/openid-configuration. |
clientId | OIDC_PROVIDER_CLIENT_ID | string | "" | No | OAuth client identifier registered with the provider. |
clientSecret | OIDC_PROVIDER_CLIENT_SECRET | string | "" | Yes | OAuth client secret. Inject from a secret store, never commit a real value. |
adminClaim | OIDC_PROVIDER_ADMIN_CLAIM | string | "" | No | Claim value that grants platform admin. Empty means no one is promoted (deny-by-default). |
scopes | (none) | string[] | ["openid","email","profile"] | No | OAuth scopes requested. Omit to use the default; the provider must return the required claims. |
requireIssuerValidation | OIDC_PROVIDER_REQUIRE_ISSUER_VALIDATION | boolean | true | No | Enforce the RFC 9207 authorization-response iss parameter. Set false only for providers that don't implement it. |
apiKey | OIDC_PROVIDER_MFA_API_KEY | string | "" | Yes | FusionAuth server API key for the OIDC_MFA wallet-signing method. Authenticates the platform's server-to-server two-factor calls. Inject from a secret store; never commit a real value. |
applicationId | OIDC_PROVIDER_MFA_APPLICATION_ID | string | "" | No | FusionAuth application id that scopes the OIDC_MFA two-factor flow. For FusionAuth this is the same value as clientId. |
Enablement predicate
A provider entry activates for sign-in only when id, issuer, clientId, and clientSecret are all non-empty. A partially-filled entry parses without error but the platform silently drops it: local login stays active, and no sign-in button appears. displayName, scopes, and adminClaim do not affect activation.
OIDC MFA enablement predicate
apiKey and applicationId enable a capability separate from sign-in: the OIDC_MFA wallet-signing verification method. When a signing request declares OIDC_MFA, the platform runs a server-side FusionAuth TOTP check and treats a successful result as authorization for that one operation. It sits alongside PINCODE, OTP, and SECRET_CODES as a way to pass the signing gate.
A provider is OIDC-MFA-capable when issuer, apiKey, and applicationId are all non-empty. This predicate is independent of the sign-in predicate above:
- A provider can enable OIDC wallet verification without sign-in. Set
issuer,apiKey, andapplicationId, and leaveclientIdandclientSecretempty. - A provider can enable sign-in without OIDC MFA. Leave
apiKeyandapplicationIdempty.
OIDC wallet verification configuration does not disable local login. Only a complete sign-in entry does that. The platform reuses issuer as the FusionAuth base URL for the OIDC MFA calls, so the value that anchors discovery also anchors the two-factor round-trip.
OIDC_MFA is available to API and SDK callers that supply it in a request's walletVerification. The method is not selectable in the Console sign-in or signing dialogs in this version. See Troubleshooting for the verification error codes and FusionAuth setup for the API key and enrollment steps.
Issuer and discovery
DALP builds the discovery URL by appending /.well-known/openid-configuration to issuer. Set issuer to the exact base URL the provider advertises as its issuer identifier, with no trailing slash. A mismatch between the configured value and the iss claim inside the ID token fails validation.
Admin claim resolution
adminClaim is matched in priority order against the profile claims:
- If
adminClaimis empty, the user is never an admin (deny-by-default). - If a
rolesarray claim contains theadminClaimvalue, the user is an admin. - If a
groupsarray claim contains theadminClaimvalue, the user is an admin. - If a claim named exactly
adminClaimis the booleantrue(or the string"true"), the user is an admin. - Otherwise the user is a regular member.
Issuer validation and RFC 9207
requireIssuerValidation defaults to true, requiring the provider to return the iss parameter on the authorization response. RFC 9207 defines this as a mixup-attack defense that matters when several IdPs are in play. Providers that lack RFC 9207 support (FusionAuth included) omit that parameter, so every callback fails with issuer_missing until the flag is set to false for that entry. The ID token's iss claim is still checked against discovery regardless of this flag, so turning off RFC 9207 does not disable issuer checking entirely.
Because the flag accepts environment values, the string "false" is parsed as the boolean false (not coerced to true the way Boolean("false") would be). Keep the default true and override per provider only where the provider provably lacks RFC 9207 support.
Claim contract
The provider must return these claims for the requested scopes:
name(required): account creation fails withname_is_missingif absent. Some providers derivenamefrom a full-name field rather than first/last name; confirm yours populates it.emailplus an honored verification signal: an explicitemail_verified: false(or"false") is rejected; an omittedemail_verifiedis accepted, because a missing claim is not the same as an unverified one.- a role or group claim carrying the
adminClaimvalue when the user should be a platform admin.
Other providers
Okta, Auth0, Keycloak, and similar issuers use the same fields. The differences are mechanical:
- Set
requireIssuerValidationaccording to whether your provider implements RFC 9207. Most modern hosted IdPs do, so keep the defaulttrue. - Map the admin signal to whatever your IdP emits, typically a
groupsorrolesclaim you enable on the application or via a claim-mapping rule. - Ensure the
profilescope (or your provider's equivalent) returns a populatedname.
The FusionAuth setup page shows the full sequence for a provider that needs extra configuration to satisfy this contract.
DALP SSO sign-in with OpenID Connect
Configure an external OpenID Connect identity provider as the sign-in method for a DALP deployment, with FusionAuth as the worked example.
Set up FusionAuth sign-in for DALP
End-to-end FusionAuth configuration for DALP OIDC sign-in: the full-name claim and id-token roles requirements the standard setup misses, plus every step to wire it in.