How it works
OpenID Connect (OIDC) is an identity protocol that uses the authentication and authorization components of OAuth2.0 and is widely adopted by identity providers. It's purpose is to give users a single login for multiple sites. OIDC can be used by all sort of client applications, include SPAs, native and mobile apps.
Each time you need to log in to a website using OIDC, you are redirected to your OIDC-compliant provider where you log in, and then taken back to the website. For example, if you chose to sign in to PayPal using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize PayPal to access your information, Google sends information back to PayPal about the user and the authentication performed. This information is returned in a JWT. You'll receive an access token and if requested, an ID token. The same thing can happen with Passage.
The identity provider (e.g. Passage) determines the authentication methods available to users, so we can support any number of options including device biometrics, Magic Links, and one-time codes. OIDC defines how identity providers and applications interact to establish end user authentication.
Login flow
User initiated authentication action
When a user initiates an authentication action, the client application redirects the user to the Passage hosted login page. Your application will need to provide the user with a link or button to access the hosted login page.
User authenticated by Passage
The user will be navigated to a hosted login page provided by Passage. Passage acts as the OIDC identity provider and authenticates the user based on the settings configured in Passage (e.g. passkeys, one-time codes). After the user successfully authenticates, Passage sends the user back to the client application with an ID token and an access token.
User redirected back to client application
Upon successful authentication, Passage generates an ID Token and an Access Token as JSON Web Tokens (JWTs). The ID Token contains essential user identity information and is signed by Passage, ensuring its authenticity.
Using the Allowed callback URLs configured in the Passage Console, Passage will redirect your user back to your client application.