Skip to main content

Overview

OpenID Connect (OIDC) is a widely adopted identity layer on top of OAuth 2.0. It standardizes how your application (the Relying Party, RP) verifies a user’s identity with an OpenID Provider (OP) and receives verified identity data in a secure and interoperable way. With Hopae Connect, your app integrates using standard OIDC discovery, authorization, token, and userinfo endpoints. That means you can use battle‑tested OIDC client libraries instead of building custom flows.

Issuer & Endpoints

Use the issuer for the environment you are targeting.
  • Production
  • Sandbox
  • Issuer: https://connect.hopae.com
  • Discovery: GET /.well-known/openid-configuration
  • Auth: GET /auth
  • Token: POST /token
  • UserInfo: GET /userinfo
  • JWKS: GET /.well-known/jwks.json

Why Use OIDC with Hopae Connect

  • Standards-based: Works with any OIDC-compliant client; no custom protocol.
  • Drop-in libraries: Use established OSS clients with built-in PKCE, token validation, discovery, and refresh logic.
  • Security best practices: PKCE for public clients, exact redirect_uri matching, signed JWTs, and JWKS-based key rotation.
  • Simple configuration: One issuer URL enables automatic discovery of all endpoints and capabilities.
  • Clear separation: Verification and OIDC endpoints live on connect.hopae.com (or sandbox), isolated from API resource servers for security and clarity.

How the Flow Works

  • Basic Flow
  • Advanced (with PKCE)
  • Send the user to Hopae Connect to start
  • User verifies identity with an eID and comes back with a code
  • Your app swaps the code for tokens, then requests user info
  • Create a session with the verified profile
Wondering what data you’ll get back? See the Return Data Model for normalized claims, assurance, issuers, presentation, and evidence.
Explore the Return Data Model →

Quick Start Examples

  • Node.js (openid-client)
  • Python (Authlib)
  • Go (go-oidc)
  • Java (Spring Security)
  • .NET (OpenIdConnect)
import { Issuer, generators } from 'openid-client'

const issuer = await Issuer.discover('https://sandbox.connect.hopae.com')
const client = new issuer.Client({
  client_id: process.env.CLIENT_ID!,
  client_secret: process.env.CLIENT_SECRET, // confidential clients only
  redirect_uris: ['https://your.app/callback'],
  response_types: ['code']
})

const codeVerifier = generators.codeVerifier()
const codeChallenge = generators.codeChallenge(codeVerifier)

// 1) Redirect user to authorization URL
const authUrl = client.authorizationUrl({
  scope: 'openid profile email',
  code_challenge: codeChallenge,
  code_challenge_method: 'S256'
})

// 2) After callback, exchange code for tokens
const params = client.callbackParams(request)
const tokenSet = await client.callback('https://your.app/callback', params, { code_verifier: codeVerifier })
const userinfo = await client.userinfo(tokenSet.access_token!)
Choose what fits your stack. All are OIDC‑compliant and widely used:

Next Steps

See Returned Data

Learn exactly which claims and fields you receive