OIDC Examples

Example client secret redirect for starting the authenticate flow using client credentials:
https://yourbrokerdomain/broker/sp/oidc/authenticate?
client_id=y6VLAK0c2Q0uBtga36BiNmxz7o0AaeaC
&scope=openid
&response_type=code
&redirect_uri=https%3A%2F%2Fyourspdomain%2Foidc%2Flogin%2Fresponse
&state=0386RDbo7CI3MgY_oiqBAuxgOfneNGCHqDrlHg7ltPk
&nonce=tggykvrGuAjqhBk4VA2AWPlQ3M02_GJBnl5pbIOc55w
Via scope a number of things can be communicated. To see all the options, visit the .well-known/openid-configuration endpoint:
https://yourbrokerdomain/broker/sp/oidc/.well-known/openid-configuration
The scopes_supported is a json array and may look like:
"scopes_supported":[
"openid",
"service:saml_sp_1",
"service:sp_1",
"idp_scoping:beid",
"idp_scoping:https://was-preprod1.digid.nl/saml/idp/metadata",
"idp_scoping:https://was-preprod1.digid.nl/saml/idp/metadata_app",
"idp_scoping:https://yourbrokerdomain/broker/authn/ciam",
"idp_scoping:uzi-pas",
"idp_scoping:urn:etoegang:HM:00000003244440010000:entities:9632",
"1",
"2"]
The following scopes can be identified:
  • openid (indicates you want an id token)
  • service: see for more information the broker services page here
  • idp_scoping: this can be used to convey Identity Provider (IdP) scoping using OIDC (in order to skip the Identity Provider selection screen)
  • indices (these can be used to log in to a certain eHerkenning service index) and will only be present if you have eHerkenning configured as an IdP.
Note: In case you want to use one of these scopes, make sure to URL encode it.
For example, scoping a bank in iDIN:
scope=openid%20idp_scoping%3Aidin%20idp_scoping%3ABANKNL2Y%20name

Example redirect for starting the authenticate flow using PKCE flow:
https://yourbrokerdomain/broker/sp/oidc/authenticate?
scope=openid
&response_type=code
&redirect_uri=https://yourspdomain/redirect
&state=ade9d8cc37e0424e949b5a6c8049fc3b
&code_challenge_method=S256
&client_id=kdS3agHrJv2i9PiZC4kHAXxWQvG1zaQ5
&code_challenge=VuWTsxohNJ6E6TKGWz2anu5EqLeWReJuz--BR6iyq-c
&response_mode=query
Retrieve the ID token using authorisation code:
https://yourbrokerdomain/broker/sp/oidc/token?
code=A5NEx8VG+/dQHfR8T2fIuP4QYX1V1odhLwsbF6LyOUE=
&grant_type=authorization_code
&redirect_uri=https://yourspdomain/someredirect
&client_id=kdS3agHrJv2i9PiZC4kHAXxWQvG1zaQ5
&code_verifier=f0a0e3cb6d8943d3885410a930783b31a394cf6d6aae4e6882533720d16fec0c952a41ac0d4f4293993990d61ffece48

For a frontchannel logout, redirect the user to:
https://yourbrokerdomain/broker/sp/oidc/logout?
id_token_hint=eyJraWQiOiJrOFJUVmJFTy1PN09ndGpNdVJmYkVVMlhKalRYcDFVTmlr...
&post_logout_redirect_uri=https%3A%2F%2Fyourdomain/logoutCompleted
Copy link
On this page
Client Secret Flow examples
PKCE Flow examples
Logout examples