Register an OIDC Client
An OIDC client is how you connect an application to Permiso so your team can log into it using SSO. Any app that supports OAuth 2.0 / OpenID Connect (including most modern SaaS tools, internal apps, and developer tools) can be registered here.
Before you start
You'll need:
- Admin access to your Permiso instance
- The redirect URI (also called callback URL) of the application you're connecting
The redirect URI is the address the app sends users back to after they've logged in through Permiso. You'll find it in the application's SSO or authentication settings. It usually looks something like https://app.example.com/auth/callback.
Step 1: Open the OIDC Clients page
Go to Settings → Administration → OIDC Clients and click New Client.
Step 2: Fill in the client details
| Field | Description |
|---|---|
| Name | A label shown on the consent screen and in audit logs. Use something recognisable, like the app's name |
| Callback URLs | One or more redirect URIs the app will send users to after login. These must match exactly, including the protocol and path. |
| Logout Callback URLs | Where to redirect users after they log out through Permiso (optional; not all apps need this) |
| Launch URL | A direct link to the app, shown in the user's connected apps list so they can open it with one click (optional) |
Step 3: Choose the client type
This is the one setting that trips people up, but it's straightforward once you know the difference.
Confidential client (the default) is for server-side applications that have a backend. Your app will receive a client secret that it uses when exchanging login codes for tokens. Because there's a server involved, the secret can be stored securely.
Public client suits single-page apps (SPAs) and mobile apps that run entirely in the browser or on a user's device, where a secret can't be stored safely. If you're connecting a React or Vue app, or a native mobile app, choose this. Enable PKCE alongside it for best security.
Tip: If you're not sure which type your app is, check its documentation or SSO setup guide. Most apps will tell you whether they need a client secret.
Step 4: Save and copy credentials
Click Save. You'll see the Client ID and, for confidential clients, the Client Secret.
Copy both values now. The client secret is only shown once. If you lose it, you'll need to regenerate it.
Step 5: Configure your application
In your application's SSO settings, point it at Permiso. Most OIDC-compatible apps just need a discovery URL:
https://[your-company].permisolabs.eu/.well-known/openid-configuration
Enter that URL and the app will auto-configure the rest. You'll also need to enter:
| Setting | Value |
|---|---|
| Issuer / Discovery URL | https://[your-company].permisolabs.eu |
| Client ID | Copied from step 4 |
| Client Secret | Copied from step 4 (confidential clients only) |
| Redirect URI | Must exactly match what you entered in step 2 |
Restrict access to specific groups
By default, any active Permiso user can log into the connected app. If you want to limit access to specific teams or roles, open the client and enable Restrict to user groups, then select which groups are allowed.
Users not in an allowed group will be denied at the Permiso consent screen, even if their account is active.
Additional options
| Option | What it does |
|---|---|
| Requires reauthentication | Users must actively re-authenticate for each session instead of being silently signed in. Useful for sensitive internal tools where you want to ensure the person at the keyboard is really them. |
| PKCE | Adds an extra verification step to the authorization code flow. Always enable this for public clients. |