# OIDC Examples
# Client Secret Flow examples
Example client secret redirect for starting the authenticate flow using client credentials:
https:/broker/sp/oidc/authenticate?
client_id=y6VLAK0c2Q0uBtga36BiNmxz7o0AaeaC
&scope=openid
&response_type=code
&redirect_uri=https%3A%2F%2Fyourspdomain%2Foidc%2Flogin%2Fresponse
&state=0386RDbo7CI3MgY_oiqBAuxgOfneNGCHqDrlHg7ltPk
&nonce=tggykvrGuAjqhBk4VA2AWPlQ3M02_GJBnl5pbIOc55w
Via scope a number of things can be communicated. To see all the options, visit the .well-known/openid-configuration endpoint:
https://yourbrokerdomain/broker/sp/oidc/.well-known/openid-configuration
The scopes_supported is a json array and may look like:
"scopes_supported":[
"openid",
"service:saml_sp_1",
"service:sp_1",
"idp_scoping:beid",
"idp_scoping:https://was-preprod1.digid.nl/saml/idp/metadata",
"idp_scoping:https://was-preprod1.digid.nl/saml/idp/metadata_app",
"idp_scoping:https://yourbrokerdomain/broker/authn/ciam",
"idp_scoping:uzi-pas",
"idp_scoping:urn:etoegang:HM:00000003244440010000:entities:9632",
"1",
"2"]
The following scopes can be identified:
- openid (indicates you want an id token)
- service: see for more information the broker services page here
- idp_scoping: this can be used to convey Identity Provider (IdP) scoping using OIDC (in order to skip the Identity Provider selection screen)
- indices (these can be used to log in to a certain eHerkenning service index) and will only be present if you have eHerkenning configured as an IdP.
NOTE
In case you want to use one of these scopes, make sure to URL encode it.
For example, scoping a bank in iDIN:
scope=openid%20idp_scoping%3Aidin%20idp_scoping%3ABANKNL2Y%20name
# PKCE Flow examples
Example redirect for starting the authenticate flow using PKCE flow:
https://yourbrokerdomain/broker/sp/oidc/authenticate?
scope=openid
&response_type=code
&redirect_uri=https://yourspdomain/redirect
&state=ade9d8cc37e0424e949b5a6c8049fc3b
&code_challenge_method=S256
&client_id=kdS3agHrJv2i9PiZC4kHAXxWQvG1zaQ5
&code_challenge=VuWTsxohNJ6E6TKGWz2anu5EqLeWReJuz--BR6iyq-c
&response_mode=query
Retrieve the ID token using authorisation code:
https://yourbrokerdomain/broker/sp/oidc/token?
code=A5NEx8VG+/dQHfR8T2fIuP4QYX1V1odhLwsbF6LyOUE=
&grant_type=authorization_code
&redirect_uri=https://yourspdomain/someredirect
&client_id=kdS3agHrJv2i9PiZC4kHAXxWQvG1zaQ5
&code_verifier=f0a0e3cb6d8943d3885410a930783b31a394cf6d6aae4e6882533720d16fec0c952a41ac0d4f4293993990d61ffece48
# Logout examples
For a frontchannel logout, redirect the user to:
https://yourbrokerdomain/broker/sp/oidc/logout?
id_token_hint=eyJraWQiOiJrOFJUVmJFTy1PN09ndGpNdVJmYkVVMlhKalRYcDFVTmlr...
&post_logout_redirect_uri=https%3A%2F%2Fyourdomain/logoutCompleted