Problem Statement
We need to establish a Single Sign-On (SSO) connection via OpenID Connect. However, the client information lacks the jwks_uri
. Is it possible to create and use an OIDC connection without the jwks_uri
parameter, or can it be disabled (ignored)?
Solution
Unfortunately, this is not possible. Currently, Auth0 follows a POST mechanism based on the client’s supported features. The “jwks_uri” parameter is essential for signing the JWT tokens. Given that your client does not have it, I assume your Identity Provider (IdP) customer might be using client_secret_basic
. You can refer to the OIDC standards for more details: Draft: OpenID Connect Basic Client Implementer's Guide 1.0 - draft 44
The recommended approach for creating an OIDC connection in Auth0 is explained in this document: Connect to OpenID Connect Identity Provider
Your customer should provide you with an “Issuer URL.” Auth0 will use this URL to locate the OIDC configuration document. The “jwks_uri” parameter will then be populated directly into the created OIDC connection in Auth0. We suggest reaching out to your customer to determine if providing this URL is feasible.
There is also Auth0 documentation on creating OIDC connections using our Management API, which also requires the IdP Domain for the “jwks_uri”: Connect to OpenID Connect Identity Provider