OIDC/OAuth Flows with Identity Orchestration
Overview
LoginRadius Identity Orchestration (IO) can be integrated directly with OIDC/OAuth applications to enrich standard authentication flows. By passing a workflow parameter in the OIDC authorize URL, every login or registration request is routed through a fully configured IO workflow before an authorization code is issued.
This means you can layer advanced capabilities, Multi-Factor Authentication, progressive profiling, custom claim injection, risk-based checks, and more, on top of any OIDC/OAuth app without changing your application's core auth logic.
When to use this approach:
- You need MFA or step-up authentication inside an OIDC flow
- You want to inject custom claims into the ID token or access token
- You need to run conditional logic (consent prompts, account checks, profile enrichment) before issuing tokens
- You are building brand-specific or segment-specific authentication journeys for an OIDC app
When to use standard OIDC without IO:
If your use case is straightforward authentication with no additional steps or customizations, refer to the Authorization Code Flow documentation.
Prerequisites
Before getting started, ensure you have:
- An OIDC or OAuth application configured in the LoginRadius Admin Console. For setup instructions, refer to the Authorization Code Flow documentation.
- An IO workflow built and deployed. Refer to the IO Workflow Guide for step-by-step instructions.
- (Optional) A Script node in your IO workflow if you need to inject custom claims. Refer to the IO Script documentation and the Custom Claim documentation.
- (Optional) A Style configured in Auth Studio if you want branded workflow pages. Refer to the Theme Customization Guide.
Configuration Steps
Step 1: Create or Select an OIDC/OAuth Application
- Navigate to Admin Console > Applications or the OAuth apps section.
- Create a new application or select an existing one.
- Note the Client ID, you will need it in the authorize URL.
For detailed OIDC app configuration, see the Authorization Code Flow documentation.
Step 2: Build and Deploy the IO Workflow
- Navigate to Admin Console > Orchestration > Workflows.
- Create a new workflow (from a template or from scratch).
- Design the workflow using the drag-and-drop editor, add an Auth node, any additional verification or profiling nodes, and a Success node.
- Note the Workflow Name, you will use this as the
workflowquery parameter. - Click Update to deploy the workflow.
For a full walkthrough of the Workflow Builder and available nodes, see the IO Workflow Guide and IO Nodes.
Step 3 (Optional): Attach a Script Node for Custom Claims
If you need custom claims in the ID token or access token:
- In the Workflow Builder, drag a Script node from the Helper Nodes section and connect it after the Auth node.
- Write a script using
hook.accessToken.setCustomClaim()and/orhook.idToken.setCustomClaim()to inject the desired claims. - Save and redeploy the workflow.
For script examples and API reference, see the IO Script documentation and Custom Claim documentation.
How It Works
When a user initiates login, the flow proceeds as follows:
- Authorize request - Your application redirects the user to the LoginRadius OIDC authorize endpoint with the
workflowquery parameter set to your IO workflow name. - IO workflow executes - LoginRadius routes the request through the specified IO workflow. The workflow runs its nodes (Auth, MFA, Script, etc.) in sequence.
- Authorization code issued - Once the workflow completes successfully, LoginRadius issues an authorization code and redirects to your
redirect_uri. - Token exchange - Your application exchanges the authorization code at the token endpoint for an access token, ID token, and refresh token.
- Custom claims included - If a Script node was used in the workflow, custom claims are present in the returned tokens.
URL Format & Query Parameters
Use the following URL format to initiate an OIDC authorization request with an IO workflow:
https://<siteurl>/service/oidc/{oidcAppName}/authorize?client_id=<OIDC Client ID>&redirect_uri=<Callback URL>&scope=openid&response_type=code&state=<random string>&nonce=<unique nonce>&workflow=<workflowName>&s=<styleName>&debugMode=<true|false>
| Parameter | Required | Description |
|---|---|---|
client_id | Yes | The Client ID of the OIDC/OAuth application. |
redirect_uri | Yes | The URL LoginRadius will redirect to after authentication. Must be whitelisted. |
scope | Yes | Must include openid. Additional scopes (e.g., email profile) can be added. |
response_type | Yes | Set to code for Authorization Code Flow. |
state | Yes | A random string for CSRF protection. |
nonce | Yes | A unique value to prevent replay attacks. |
workflow | Yes (for IO) | The name of the IO workflow to execute. Found in Admin Console > Orchestration > Workflows. |
s | No | The style name from Auth Studio. Controls the branding/theme of the workflow pages. |
debugMode | No | Set to true to enable debug logging during workflow execution. Useful during development. |
Use Cases
Standard Login or Registration via IO + OIDC
Build a Login or Registration workflow in the IO Workflow Builder and pass its name as workflow=<workflowName> in the authorize URL. The workflow handles the complete authentication journey - the OIDC layer issues tokens only after the workflow succeeds.
This is ideal when you need more control over the login screen UI (via Auth Studio styles), want to add intermediate steps like consent prompts, or need to support multiple login methods (password, social, passwordless) under a single OIDC app.
Custom Claims Injection
Use a Script node in your IO workflow to inject business-specific data into the ID token or access token. For example, inject a user's role, subscription tier, or tenant ID as a custom claim.
For full setup instructions and script examples, see the Custom Claim documentation.
Multi-Factor Authentication Within OIDC Flow
Add MFA to your OIDC app by building an MFA workflow in IO. The workflow can enforce step-up authentication (e.g., Email OTP, Authenticator app) before issuing the authorization code.
For a reference MFA workflow pattern, see the IO Workflow Guide - MFA section.
Progressive Profiling
Collect additional profile information from users at login time by adding a Form or Webpage node in the IO workflow. The user is shown a profile enrichment form before authentication completes. The collected data can be stored via a Store Custom Object node or processed via a Script node.