1 min read 383 words Updated Jun 08, 2026 Created Jun 08, 2026

OIDC Overview

Permiso uses OpenID Connect (OIDC) to connect your team to applications. If you've heard the term "SSO" (Single Sign-On), that's what this is: one login for all your tools.

This page explains how it works. If you're ready to connect an app, skip to Register an OIDC Client.

What is OpenID Connect?

OpenID Connect is an open standard for authentication built on top of OAuth 2.0. It's supported by thousands of applications: from GitHub and Notion to your own internal tools. When an app says it supports "SSO via OIDC" or "OAuth 2.0 login", it can connect to Permiso.

The short version of how it works:

  1. A user clicks "Log in" in an application
  2. The application redirects the user to Permiso
  3. Permiso authenticates the user (via passkey)
  4. Permiso redirects back to the application with a token
  5. The application uses that token to confirm who the user is

The user only ever enters their credentials on Permiso. The application never sees them.

What Permiso issues

After a successful login, Permiso issues a set of tokens to the application:

  • ID token: a signed JWT containing the user's identity information (name, email, groups, custom claims)
  • Access token: used by the application to call Permiso's userinfo endpoint
  • Refresh token: allows the application to get new tokens without the user logging in again

Discovery document

Every OIDC provider publishes a discovery document that applications use to auto-configure themselves. Permiso's is at:

https://[your-company].permisolabs.eu/.well-known/openid-configuration

Most OIDC libraries and applications accept this URL directly and handle the rest automatically.

Scopes and claims

When an application requests a login, it asks for specific scopes: sets of information about the user. Permiso supports the standard OIDC scopes:

ScopeWhat it includes
openidThe user's unique identifier (always required)
profileName, username, and profile picture
emailEmail address and whether it's been verified
groupsThe names of the groups the user belongs to

You can also add custom data to tokens using Custom Claims.

Connecting an application

See Register an OIDC Client for a step-by-step guide to connecting an application.

For a list of Permiso's OIDC endpoints, see OIDC Endpoints.