To use the OpenID Connect Protocol (OIDC) debugger, complete the following steps:
- To ensure that the response from the OIDC provider goes to the debugger, add
https://oidcdebugger.com/debug
in the registered client application in your OIDC provider. - Find the
authorization_endpoint
andtoken_endpoint
of your OIDC provider. You can usually find it in<your issuer-uri>/.well-known/openid-configuration
.- For example, the Azure Active Directory
issuer-uri
ishttps://login.microsoftonline.com/<tenant>/v2.0
. Replace<tenant>
with your real one. Then go to https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration. You should see the following:"authorization_endpoint": "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize"
"token_endpoint": "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token" - If you are using Okta and the default authorization server, the OIDC metadata document URL is
https://${yourOktaDomain}/.well-known/openid-configuration
. If you are using a custom authorization server instead, the URL ishttps://${yourOktaDomain}/oauth2/${authorizationServerId}/.well-known/openid-configuration
.
- For example, the Azure Active Directory
- Go to https://oidcdebugger.com, complete the following settings, and click Send Request.
-
Authorize URI – Enter the URI for the
authorization_endpoint
. -
Redirect URI – Enter
https://oidcdebugger.com/debug
. - Client ID – Enter your registered client ID.
- Scope – Set to OpenID.
- Response Type – Set code as required response type.
- Response Mode – Set fragment as the required response mode.
-
Authorize URI – Enter the URI for the
- You can submit a POST request using the information from the OIDC debugger success page. To do that, you need to first retrieve your token from your OIDC provider's token endpoint, then include that token in the authorization header of your POST request:
POST <the token endpoint found above>
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=<the code returned from the OIDC debugger>&
client_id=<your client id>&
client_secret=<your client secret>&
redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug - Finally, you should get a response from your OIDC provider like the following:
{ "token_type": "Bearer", "scope": "openid", "expires_in": 3599, "ext_expires_in": 3599, "access_token": "...", "id_token": "..." }
- Decode the returned
id_token
with https://jwt.io. You should see the token that Opti ID uses for authentication and authorization. For example:{ "aud": "...", "iss": "https://login.microsoftonline.com/<tenant>/v2.0", "iat": 1626766745, "nbf": 1626766745, "exp": 1626770645, "aio": "...", "groups": [ "..." ], "name": "Sample User", "nonce": "e5y6mv1gmb", "oid": "...", "preferred_username": "sample@...", "rh": "...", "sub": "...", "tid": "...", "uti": "...", "ver": "2.0" }
- Verify that all the required claims (email, family_name, given_name) are present in the
id_token
.
Please sign in to leave a comment.