OpenID Connect (OIDC)
WeWorks supports OpenID Connect as an optional authentication provider alongside email/password, OAuth, and SAML.
End-user login
- Go to the client login page
- Click the OIDC login option
- Authenticate with your identity provider
- You are redirected back to WeWorks with a session
First-time OIDC users may need an account linked by an administrator.
Admin configuration
Admins configure OIDC at Admin → Authentication:
- Select OIDC as the provider type
- Enter:
- Issuer — OIDC well-known configuration URL (e.g.
https://login.example.com/.well-known/openid-configuration) - Client ID
- Redirect URI — must match your IdP app registration (typically
https://client.yourdomain.com/auth/oidcor similar)
- Issuer — OIDC well-known configuration URL (e.g.
- Save the configuration
Requirements
- Client type must be PUBLIC at the identity provider (browser-based login flow)
- Redirect URI must exactly match what is registered with the IdP
- Issuer URL must expose standard OIDC discovery metadata
Removing OIDC
Admins can delete the OIDC configuration from the same authentication settings page. Users will then need to use email/password or another configured provider.
Troubleshooting
| Problem | Solution |
|---|---|
| Account not found | Ask an admin to create/link your WeWorks user to the OIDC subject |
| Redirect mismatch | Verify redirect URI in admin settings matches IdP registration |
| Login loop | Check API logs; ensure FRONTEND_URL and HTTPS proxy headers are correct |
| Invalid issuer | Use the full well-known URL; test it returns JSON metadata |
Related
- Reverse Proxy — HTTPS and subdomain setup
- Local Development — testing auth locally