Overview

OpenID Connect (OIDC) is a widely adopted identity layer on top of OAuth 2.0. It standardizes how your application (the Relying Party, RP) verifies a user’s identity with an OpenID Provider (OP) and receives verified identity data in a secure and interoperable way. With Hopae Connect, your app integrates using standard OIDC discovery, authorization, token, and userinfo endpoints. That means you can use battle‑tested OIDC client libraries instead of building custom flows.

Issuer & Endpoints

Use the issuer for the environment you are targeting.
  • Issuer: https://connect.hopae.com
  • Discovery: GET /.well-known/openid-configuration
  • Auth: GET /auth
  • Token: POST /token
  • UserInfo: GET /userinfo
  • JWKS: GET /.well-known/jwks.json

Why Use OIDC with Hopae Connect

  • Standards-based: Works with any OIDC-compliant client; no custom protocol.
  • Drop-in libraries: Use established OSS clients with built-in PKCE, token validation, discovery, and refresh logic.
  • Security best practices: PKCE for public clients, exact redirect_uri matching, signed JWTs, and JWKS-based key rotation.
  • Simple configuration: One issuer URL enables automatic discovery of all endpoints and capabilities.
  • Clear separation: Verification and OIDC endpoints live on connect.hopae.com (or sandbox), isolated from API resource servers for security and clarity.

How the Flow Works

  • Send the user to Hopae Connect to start
  • User verifies identity with an eID and comes back with a code
  • Your app swaps the code for tokens, then requests user info
  • Create a session with the verified profile
For SPAs and native apps, use PKCE (S256) and avoid storing client secrets in the client.

Quick Start Examples

import { Issuer, generators } from 'openid-client'

const issuer = await Issuer.discover('https://sandbox.connect.hopae.com')
const client = new issuer.Client({
  client_id: process.env.CLIENT_ID!,
  client_secret: process.env.CLIENT_SECRET, // confidential clients only
  redirect_uris: ['https://your.app/callback'],
  response_types: ['code']
})

const codeVerifier = generators.codeVerifier()
const codeChallenge = generators.codeChallenge(codeVerifier)

// 1) Redirect user to authorization URL
const authUrl = client.authorizationUrl({
  scope: 'openid profile email',
  code_challenge: codeChallenge,
  code_challenge_method: 'S256'
})

// 2) After callback, exchange code for tokens
const params = client.callbackParams(request)
const tokenSet = await client.callback('https://your.app/callback', params, { code_verifier: codeVerifier })
const userinfo = await client.userinfo(tokenSet.access_token!)
Choose what fits your stack. All are OIDC‑compliant and widely used:

Next Steps

Getting Started

Begin with the onboarding flow

API Reference

Explore endpoints and error handling

Concepts: Verification Flow

Understand the end-to-end lifecycle

Webview Integration

Simplest integration path for many apps