Use this method if: Users arrive at Nudj directly (not already authenticated) and initiate a login from the Nudj login page.If users are already authenticated elsewhere, use API Link User Token Authentication instead.
Quick Start
- Add OIDC configuration in Nudj: Go to Organisation Settings → Authentication and enter your provider details
- Whitelist Nudj’s redirect URI: Add the callback URL to your OAuth provider’s configuration
- Test the flow: Log in via your provider and verify the integration works
Determine the Authentication Method
Use OAuth 2.0 / OIDC if:- Users will arrive at Nudj not authenticated
- You want to follow industry-standard authentication flows
- Users may access multiple services and need centralized authentication
Add Your OIDC Configuration in Nudj
Navigate to your Nudj admin panel athttps://your-domain/admin:
- Go to Organisation Settings → Authentication
- Create a new OIDC configuration with these details:
clientId
Your OAuth provider’s Client ID
clientSecret
Your OAuth provider’s Client Secret
issuer
The OIDC base URL (discovery endpoint) from your provider. Used for token verification.
Required Scopes
Configure these scopes in your provider:- openid (required)
- profile (required)
- email (required)
- offline_access (optional, for refresh tokens)
oidcConfig.id for your environment. You’ll need this for the next step.
Whitelist Nudj’s Redirect URI
After creating the OIDC configuration in Nudj, you’ll have a callback URL. Add this exact URL to your OAuth provider’s redirect URI whitelist (no trailing slash):${rootDomain}= Your Nudj domain (found in Organisation Settings → Domains)${oidcConfig.id}= The ID generated when you created the OIDC config
Example
If your domain isloyalty.mycompany.com and your oidcConfig.id is abc123def456, the redirect URI would be:
Testing the Integration
- Confirm your OAuth provider lists the Nudj redirect URI correctly
- Verify all required scopes are enabled in your provider
- Log out of Nudj (if currently logged in)
- On the Nudj login page, click “Log in with [Your Provider Name]”
- Complete authentication with your provider
- Verify you’re redirected back to Nudj and fully authenticated
Troubleshooting
Users can't see the OAuth option at login
Users can't see the OAuth option at login
Make sure the OIDC configuration is saved in Nudj and enabled. It may take a few minutes to appear on the login page after enabling.
Redirect URI mismatch error
Redirect URI mismatch error
The redirect URI in your OAuth provider must match exactly what Nudj generated. Check for:
- Trailing slashes (Nudj doesn’t use them)
- Correct domain
- Correct
oidcConfig.id
'Invalid scope' or scope errors
'Invalid scope' or scope errors
Ensure your OAuth provider has the required scopes (openid, profile, email) enabled. Check your provider’s documentation if you’re unsure how to enable additional scopes.
Token validation errors
Token validation errors
Verify that the
issuer URL you provided in Nudj matches your OAuth provider’s OIDC discovery endpoint. This is used to validate tokens. If the issuer is wrong, token verification will fail.Common OAuth Providers
| Provider | Issuer URL Format | Setup Docs |
|---|---|---|
| Auth0 | https://your-domain.auth0.com | https://auth0.com/docs/get-started |
| Okta | https://your-domain.okta.com | https://developer.okta.com/docs/guides/implement-oauth-for-okta/ |
| Azure AD | https://login.microsoftonline.com/{tenant}/v2.0 | https://docs.microsoft.com/en-us/azure/active-directory/ |
| Keycloak | https://your-keycloak-domain/realms/your-realm | https://www.keycloak.org/docs |
| Custom OIDC | Check your provider’s documentation | See your provider’s OIDC configuration |