🔑 OIDC via FusionAuth

Platform

Solutions

Resources

Company

EN

Learn how to connect OIDC FusionAuth to tchop's user management and backend.

This how-to guide explains how to connect OIDC FusionAuth to tchop user management and backend. It covers creation of an OIDC connection, a key master, a tenant, a new application, and the required fields for the tchop side.

The guide also includes an example of a configuration file.

Creating OIDC connection

Create Key Master (optional, skip if you already have one)

Open Settings / Key Master
Click Generate RSA key pair
set Algorithm as RS256
set Issuer as tchop.io

Create Tenant (optional, skip if your user dataset already exist)

General Tab

JWT tab

Create new application

(optional) select previous created tenant (tchop.io)

Auth tab

set Client Authentication as Not required when using PKCE
set PKCE as Required
disable Generate refresh tokens
set URL validation as Allow wildcards
set Authorized redirect URLs
- Please add redirect URLs here based on the App package name (info to be provided by tchop)
set Enabled grants as Authorization Code only

JWT tab

enable The settings
set Access token signing key as tchop.io (select previous created keyset)
set Id token signing key as tchop.io (select previous created keyset)

Required fields for tchop side

Fields	Description	Example Value
jwksUri	value from `OAuth2 & OpenID Connect Integration details`/`JSON Web Key (JWK) Set` field of the Application details page, eg `https://<domain>/.well-known/jwks.json`	http://localhost:9011/.well-known/jwks.json
issuer	name of tenant which created before or `acme.com` if skipped creating one, value from `JWT`/`Issuer` field on the Application details page.	acme.com
algorithm	type from Master key section, eg RS258	RS256
audience	same as `issuer` field	acme.com
tokenEndpoint	value from `OAuth2 & OpenID Connect Integration details`/`Token endpoint` field of the Application details page, eg `https://<domain>/oauth2/token`	http://localhost:9011/oauth2/token
authorizationEndpoint	value from `OAuth2 & OpenID Connect Integration details`/`OAuth IdP login URL` field of the Application details page but without query params, eg `http://<domain>/oauth2/authorize`	http://localhost:9011/oauth2/authorize
userinfoEndpoint	value from `OAuth2 & OpenID Connect Integration details`/`Userinfo endpoint` field of the Application details page, eg `https://<domain>/oauth2/userinfo`	http://localhost:9011/oauth2/userinfo
clientId	Id of created application, value from `Fields`/`Id`, field of the Application details page, eg `8405c54f-3a95-4404-81cb-a0801d71e442`	19fe3351-1e6e-4eef-914d-c74e8ebcb010

Example of config

{
  "name": "any human readable name of client eg UNICEPTA FIFA",
  "jwksUri": "<http://localhost:9011/.well-known/jwks.json>",
  "issuer": "acme.com",
  "algorithm": "RS256",
  "authorizationEndpoint": "<http://localhost:9011/oauth2/authorize>",
  "audience": "acme.com",
  "tokenEndpoint": "<http://localhost:9011/oauth2/token>",
  "clientId": "19fe3351-1e6e-4eef-914d-c74e8ebcb010",
  "userinfoEndpoint": "<http://localhost:9011/oauth2/userinfo>"
}