Skip to main content
Skip table of contents


Configure Identity Providers that use the OAuth 2.0 or OAuth 2.1 Protocol (or the OpenID Connect protocol, which extends the OAuth 2.0 protocol) to authenticate and authorize users.  

TrustBuilder will act as a Service Provider when sending an authentication Request to the Identity Provider.

Configure a custom OAuth IDP

From the admin portal, go to Identity Providers tab > Custom OAUTH IDP.



Display Name

The display name of the Identity Provider

If a known name is used (such as Facebook, Google, LinkedIn) the corresponding logo will automatically be provided.


The Identity Provider description

Provisioning Workflow

Select a workflow that will be executed after the Authentication is complete. Said workflow can be used, for instance, to provision users in a user database.


"OAuth 2.0"


Primary attribute that is used to identify the Subject

Well Known

The URL where the IDP's metadata (discovery endpoint) can be retrieved.

OpenID Connect defines a discovery mechanism, called OpenID Connect Discovery, where an OpenID server publishes its metadata at a well-known URL, typically: configuration endpoint is a good start to configure your IDP.

For TrustBuilder, the URL path is:  https://{server}.{com}>/idhub/oidc/.well-known/openid-configuration

Manage Certificates

You can manage certificates from the Certificates configuration page. You can also add or import certificates from the Identity provider configuration.

  • Context → Defines what the certificate is used for.

    • Key - Signing: Used to sign messages to the IDP

    • Key - Encryption: Used to decrypt the messages (assertions) sent from the IDP

    • Key - TLS: Used to initiate a secure connection (TLS) to the IDP

    • Trust - Signing: Used to verify the signature of messages sent by the IDP

    • Trust - TLS: Used to accept a secure connection (TLS) from the IDP

  • Certificate Alias → The alias of the certificate to use for this context.

  • Used From → Defines from when this certificate may be used. In some cases these periods may overlap for the same context (eg. during a certificate renewal), but in other cases they may never overlap (Key - Signing, Key - TLS).

  • Used Until → Defines until when this certificate may be used.

See Certificates

Token Endpoint Method

There are 4 options to authenticate the Client (Mind: Not the user!):

  • Client Secret Basic: The client is authenticated via basic http authentication, using the client ID and secret. A textbox is displayed where the client secret must be provided.

  • Client Secret JWT: The client is authenticated by passing the client ID and secret in a signed JWT. The audience (identifies the authorization server as an intended audience) and secret must be supplied. [RFC: Link]

  • Client Secret Post: The client is authenticated via http post authentication,  using client ID and secret, which are sent as parameters alongside the other parameters. A textbox is displayed where the client secret must be provided.

  • Private Key JWT: Rather than using a secret, this method uses the "Key Signing" Private Key to sign the Client Authentication JWT. The Audience (identifies the authorization server as an intended audience) must be provided.


The discovery endpoint can be used to retrieve metadata about your IdentityServer. It returns information like the issuer name key material, supported scopes etc. The discovery endpoint is available via /.well-known/openid-configuration relative to the base address.

Client Secret

Only visible when Token Endpoint Method is set to “Client Secret Basic” or “Client Secret Post“

JWT Audience

Only visible when Token Endpoint Method is set to “Client Secret JWT” or “Private Key JWT“

JWT Private Key

Only visible when Token Endpoint Method is set to “Client Secret JWT”

OAuth Policy

Enables the choice between applying OAuth 2.0 and OAuth 2.1.
Selecting OAuth 2.1 will disable or enforce certain configuration options, as per the specification.

App Client ID

The "client_id" as it is known by the IDP.  Identifies TrustBuilder as the Service Provider.

Authorization Endpoint

URL where to request the Authorization Code token

Token Endpoint

URL where to send the ID Token request

Token introspection URL

When using the token exchange endpoint of IDHub, this URL will be used to validate the access token.

End Session Endpoint

URL where to redirect the user for Single Sign out to terminate authenticated sessions.

User Info Endpoint

URL where to request the User Info

JWKS Endpoint

The URL where the Identity Provider's JWKS (Key information) can be found.

Expected Issuer

Used in OpenID Connect. The value filled in here must match the "iss" (issuer) value that is given in the id_token. This value is validated when using in the Authorization Flow and Hybrid Flow, so it's highly recommended to provide this value.  If this cannot be validated, this will result in an INVALID_GRANT.

We will also use this value as "audience" in the authentication request.

Attribute Name for Subject

Defines which attribute in the Authentication Response JSON describes the subject.  This is because the Identity Provider does not necessarily use the same attribute as the subject.


Define which scopes to include in the Authentication Request.
Add an "openid" scope if the "OpenIDConnect" Protocol is used.

Sign Authentication Request

When this is enabled, the Authentication Request to the IDP will be signed, using the signing key certificate.

Encrypt Authentication Request

When this is enabled, the Authentication Request to the IDP will be encrypted as a JWT, using the public encryption key of the IDP.  This key is generally retrieved from the JWKS endpoint.

The following extra fields are displayed when this is enabled:

  • CEK encryption algorithm (Content Encryption Key algorithm - Asymmetric)

  • Content encryption algorithm (Content Encryption algorithm - Symmetric)

Request by Reference

This is similar in behavior as the SAML artifact: instead of returning the claims in the id_token, the SP will retrieve the claims from the uri that is passed in the "request_uri" parameter.
This is only used in OpenIDConnect.

Request URI

Provide the hostname and the port to be used in the request URI

Redirect URI

Provide the hostname and the port to be used in the redirect URI

Redirect URI Alias


Attribute Sources

Defines where TrustBuilder will look for the user attributes when authenticating

Client Mode

Defines which Authentication protocol is used.  OAuth 2.0 or OpenID Connect

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.