After creating an OpenID connection, select the Settings tab and configure the advanced settings below.
- Pass login_hint
- Pass max_age
- Pass current locale
- Backchannel logout
- Send 'id_token_hint' in logout requests
- Send 'client_id' in logout requests
- Disable user info
- Disable nonce
- Disable type claim check
- Scopes
- Prompt
- Accepts prompt=none forward from client
- Requires short state parameter
- Allowed clock skew
- Forwarded query parameters
- Store tokens
- Stored tokens readable
- Access Token is JWT
- Trust Email
- Account linking only
- Hide on login page
- Show in Account console
- Verify essential claim
- First login flow override
- Post login flow
- Sync mode
- Case-sensitive username
Pass login_hint
Controls whether the broker forwards a login_hint value to the external OIDC provider.
Option | Description |
|---|---|
On | Forwards |
Off | Does not |
Pass max_age
Controls whether max_age is sent in requests to authenticate recent users.
Option | Description |
|---|---|
On | Sends max_age so the provider may force re-authentication if the user session is too old. |
Off | Does not send max_age; provider decides based on its normal session policy. |
Pass current locale
Controls whether the current UI locale is forwarded to the external OIDC provider.
Option | Description |
|---|---|
On | Sends a locale hint to localize the provider login experience. |
Off | Does not send locale; provider default language rules apply. |
Backchannel logout
Controls whether backchannel logout is used to terminate server-to-server sessions.
Option | Description |
|---|---|
On | Enables backchannel logout requests to terminate remote sessions without browser redirects. |
Off | Backchannel logout is not used. |
Send 'id_token_hint' in logout requests
Controls whether id_token_hint is included in logout requests sent to the provider.
Option | Description |
|---|---|
On | Includes |
Off | Does not send |
Send 'client_id' in logout requests
Controls whether client_id is included in logout requests sent to the provider.
Option | Description |
|---|---|
On | Includes |
Off | Does not include |
Disable user info
Controls whether the UserInfo endpoint is skipped after token exchange.
Option | Description |
|---|---|
On | Skips |
Off | Uses |
Disable nonce
Controls whether nonce validation is disabled during OIDC authentication.
Option | Description |
|---|---|
On | Disables |
Off | Keeps |
Disable type claim check
Controls validation of token type-related claims during token processing.
Option | Description |
|---|---|
On | Skips token-type claim checks for provider-compatibility edge cases. |
Off | Enforces token type claim checks (recommended default). |
Scopes
Defines which OIDC scopes are requested from the external provider.
Prompt
Defines the OIDC prompt behavior requested at the external provider.
Option | Description |
|---|---|
Unspecified | No explicit prompt value is sent; provider default behavior applies |
None | Requests silent authentication with no user interaction |
Consent | Forces consent screen display at the provider |
Login | Forces re-authentication at the provider |
Select account | Forces account chooser when multiple accounts are available |
Accepts prompt=none forward from client
Controls whether incoming prompt=none from a downstream client is forwarded.
Option | Description |
|---|---|
On | Allows forwarding prompt=none to the external provider for silent auth attempts |
Off | Blocks forwarding prompt=none; normal interactive flow may be used instead |
Requires short state parameter
Controls whether the state parameter length is reduced to be compatible with strict providers.
Option | Description |
|---|---|
On | Uses a shorter state value for providers with URL/parameter length limitations |
Off | Uses the normal state parameter format |
Allowed clock skew
Maximum tolerated time difference (seconds) when validating token timestamps.
Forwarded query parameters
Comma-separated query parameter names that should be passed through to the external provider authorization endpoint.
Store tokens
Controls whether external provider tokens are stored with the brokered user session/account.
Option | Description |
|---|---|
On | Stores external tokens for later use – for example, token exchanges or API calls |
Off | Does not persist external provider tokens |
Stored tokens readable
Controls whether stored tokens can be read by clients with appropriate permissions.
Option | Description |
|---|---|
On | Allows retrieval and read access of stored tokens when policy permits |
Off | Prevents stored tokens from being readable via token-retrieval paths |
Access Token is JWT
Indicates whether the external provider access token format is JWT.
Option | Description |
|---|---|
On | Treats the access token as a JWT and supports JWT-based claim processing/validation flows |
Off | Treats access token as opaque and non-JWT |
Trust Email
Controls whether email from the external provider is considered verified/trusted.
Option | Description |
|---|---|
On | Treats incoming email as trusted/verified and may skip additional verification steps |
Off | Does not automatically trust provider email verification state |
Account linking only
Restricts this identity provider to linking only with existing accounts.
Option | Description |
|---|---|
On | Allows login only when an existing local account link is present; no new user creation |
Off | Allows standard broker login behavior including new account flow when configured |
Hide on login page
Controls whether this identity provider is shown on the login page.
Option | Description |
|---|---|
On | Hides this provider from login page buttons and options |
Off | Shows this provider on the login page |
Show in Account console
Controls visibility of this identity provider in user account settings.
Option | Description |
|---|---|
Always | Always show provider in account console linking section |
When linked | Show provider only if account is already linked |
Never | Do not show provider in account console |
Verify essential claim
Controls strict validation of essential claims required for login success.
Option | Description |
|---|---|
On | Fails authentication if configured essential claims are missing or invalid |
Off | Does not enforce essential-claim validation strictly |
First login flow override
Selects an alternate authentication flow for first broker login.
Option | Description |
|---|---|
browser | Uses browser authentication flow as first-login override |
direct grant | Uses direct grant flow as first-login override |
docker auth | Uses the Docker auth flow as the first-login override |
first broker login | Uses first broker login flow (typical default for broker onboarding) |
registration | Uses registration flow as first-login override |
reset credentials | Uses reset credentials flow as first-login override |
Post login flow
Selects an optional flow to execute after successful broker authentication.
Option | Description |
|---|---|
None | No additional post-login flow is executed |
browser | Executes browser flow after login |
direct grant | Executes direct grant flow after login |
docker auth | Executes docker auth flow after login |
first broker login | Executes first broker login flow after login |
registration | Executes registration flow after login |
reset credentials | Executes reset credentials flow after login |
Sync mode
Defines how brokered user attributes/links are synchronized over time.
Option | Description |
|---|---|
Import | Imports user data on first login and applies standard sync behavior after that |
Legacy | Uses backward-compatible synchronization behavior |
Force | Forces synchronization/update on every login |
Case-sensitive username
Controls whether username matching/processing preserves case sensitivity.
Option | Description |
|---|---|
On | Treats usernames as case-sensitive when matching or creating users |
Off | Treats usernames as case-insensitive (common default) |