Passwordless Login
The Passwordless Login extension enables organisations to offer passwordless login using digital credentials presented from an EUDI Wallet. It integrates seamlessly with existing OpenID Connect (OIDC) identity management systems.
How it works
- The organisation enables the Passwordless Login extension from the dashboard.
- An administrator creates one or more OIDC clients, each configured with a presentation definition, redirect URIs, and a callback endpoint.
- When a user initiates login, they are redirected to the OIDC authorization endpoint.
- The user presents the requested credential from their EUDI Wallet.
- The system verifies the credential and calls the configured callback URI with the presentation data.
- The callback endpoint returns the
sub(subject identifier) claim to match the user in the Identity Provider (IdP). - The user is redirected back to the application with an authorization code, completing the login flow.
OIDC discovery endpoints
Once the extension is enabled, the following OpenID Connect endpoints are available:
| Endpoint | Description |
|---|---|
Well-Known OIDC (/.well-known/openid-configuration) | OIDC discovery document |
Well-Known JWKS (/.well-known/jwks.json) | OIDC JWKS document |
| Authorization Endpoint | Redirects users to present credentials from their wallet |
| Token Endpoint | Secure server-to-server token exchange |
| User Info Endpoint | Returns authenticated user profile information |
OIDC client configuration
Each OIDC client connects to your Identity Provider and defines how credential-based login is handled.
Client fields
| Field | Required | Description |
|---|---|---|
| Client Name | Yes | A descriptive name for the client |
| Presentation Definition | Yes | Select which credentials to verify during login |
| Action | No | Free-text action value embedded in transaction data; used by the EUDI Wallet to render custom UI during the presentation request |
| Redirect URIs | No | URLs where users are redirected after login |
| Web Origins | No | Allowed CORS origins for browser-based flows |
| Callback URI | Yes | HTTPS endpoint that receives the credential presentation |
| Callback Secret | Yes | HMAC-SHA256 secret used to sign callback payloads |
Transaction data and action field
If the chosen presentation definition supports transaction data, the Action field can be used to pass a free-text value (e.g., "Login to your online bank account") that is included in the transaction data sent to the EUDI Wallet. The wallet may use this value to display a custom UI to the user during the credential presentation (for example, showing a contextual message about what the login is for).
Callback endpoint requirements
The configured Callback URI must:
- Accept
POSTrequests with a JSON body containing the credential presentation payload. - Verify the
X-iGrant-SignatureHMAC-SHA256 header to authenticate the request. See Webhook Security for details on how to decode and verify the signature. - Return a JSON response containing the
sub(subject identifier) claim that maps the presented credential to a user in your IdP. This allows you to decide which field from the presentation (e.g.,email) to use as the user identifier.
Client management
From the dashboard, administrators can:
- Create new OIDC clients
- View and copy client credentials (Client ID and Client Secret)
- Edit client configuration
- Delete clients (with confirmation)
- View the associated presentation definition
API endpoints:
GET /v3/config/extension/oidc/clients- List all OIDC clientsPOST /v3/config/extension/oidc/client- Create a new clientPUT /v3/config/extension/oidc/client/{clientId}- Update a clientDELETE /v3/config/extension/oidc/client/{clientId}- Delete a clientGET /v3/service/extension/oidc/{organisationId}/.well-known/openid-configuration- OIDC discoveryGET /v3/service/extension/oidc/{organisationId}/.well-known/jwks.json- OIDC JWKS document
Integration guide
For a step-by-step guide on configuring an IdP (Keycloak, Auth0, Ping Identity, etc.) as a relying party with this extension, including Identity Provider setup, attribute mappers, custom authentication flows, and a sample React implementation, see the Passwordless Login with EUDI Wallets guide.