ZITADEL OIDC Authentication Request Playground
The OIDC Playground is for testing OpenID Authentication Requests, giving you more insight how OpenID Connect works and how you can customize ZITADEL behavior with different parameters.
An OpenID Connect (OIDC) authentication request is an OAuth 2.0 Authorization Request using additional parameters and scopes to request that the end-user be authenticated by ZITADEL.
Your Domain
Required Parameters
Additional Parameters
Scopes
urn:zitadel:iam:org:id:your-organization-id
Scopes
Request additional information about the user with scopes. The claims will be returned on the userinfo_endpoint or in the token (when configured).Your authorization request
your-instance/oauth/v2/authorize?client_id=your-client-id&redirect_uri=your-redirect-uri&response_type=your-response-type&scope=your-scope&prompt=your-prompt
Try it outWhy this OIDC playground?β
Currently ZITADEL requires human users to authenticate trough the hosted login page. Your application should initiate a login by issuing an authentication request and redirecting the user to the login page. You can customize the behavior of ZITADEL by providing additional parameters and scopes in the request.
This playground should help you to initially craft an authentication request and to explore the behavior of ZITADEL in more depth.
Request parameters explainedβ
Not all request parameters are available in the playground. Please refer to the full documentation of the authorization endpoint.
Your Domainβ
The Instance Domain to your ZITADEL instance. Use the base-path, the playground will add the required path to the request.
Required Parametersβ
Client ID is the resource id of an application. It's the application where you want your users to login. You can find the resource id in the Console. When using organization grants, use the client id from the origin organization.
Redirect URI be one of the pre-configured redirect uris for your application. You must add the redirect uri for your application, else you will receive an error.
Response Type defines whether a code, id_token token or just id_token will be returned. Most use cases will need code.
More in the documentation about required Parameters.
Authentication methodsβ
Depending on the authentication and authorization flow of your application you might need to append some information to the authentication request.
Authentication method "(none) PKCE" is recommended for most application types. The playground appends automatically a code challenge for PKCE flows.
You need to append a "Code Challenge" by providing a random Code Verifier that is being hashed and encoded in the request to the token endpoint, please see our guide for more details.
More in the documentation about authentication methods.
Additional Parametersβ
Prompt defines if and how the user should be prompted on login. For example:
select_account
: user is prompted to select one of the existing sessions or create a new onecreate
: present the register formlogin
: requires the user to re-authenticatenone
: user must be authenticated without interaction, an error is returned otherwise; use for silent-refresh
Login hint must be a valid logon name of a user. You can skip the account picker by providing the Login hint.
There are many more additional parameters. Please refer to the documentation about additional parameters.
Standard Scopesβ
Used to request additional information from ZITADEL.
These scopes are defined in the OpenID Connect specification.
The openid
scope is mandatory.
Not all scopes are available in the playground. Please refer to the full documentation for the exhaustive list of available standard and reserved scopes.
Reserved Scopesβ
You can request additional information that is specific to ZITADEL or customize the behavior of ZITADEL by including reserved scopes. Please refer to the documentation for a full list of available reserved scopes.
Organization policies and brandingβ
Enforce an organization's policies and branding as well as membership of the user by passing the scope urn:zitadel:iam:org:id:{id}
with the required Organization ID.
Please refer to the full guide on branding.
Get user metadataβ
Pass the scope urn:zitadel:iam:user:metadata
to request a user's metadata.
Please refer to the full guide on user-metadata for further details.
Access core apisβ
Calling the core API with the authenticated user, requires that the projectID of ZITADEL is included in the audience claim.
This can be achieved by adding the scope urn:zitadel:iam:org:project:id:zitadel:aud
to your applications authorization request.
How to use ZITADEL in your projectβ
Please refer to our guide on how to login users.
OpenID Connect certified libraries should allow you to customize the parameters and define scopes for the authorization request. You can also continue by using one of our example applications.