---
title: "OpenID Connect (OIDC)"
diataxis: how-to
applies_to:
  product: "nirmata-control-hub"
audience: ["platform-engineer","admin"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/control-hub/identity-access/oidc/
---

Nirmata allows administrators to configure end-user authentication and identity verification based on authentication performed by an Authorization Server. This feature provides an interoperable and REST-like authentication system. <p>

### Setting up a user with OpenID Connect

To setup OIDC:

1. Go to menu option > **Identity & Access** > **OIDC**.
2. Click **Setup OIDC for single sign-on (SSO)**. The Update OIDC Settings window opens.
3. Update the OIDC Settings by entering the following details:
    - *Name*
    - *Client ID*
    - *Secret*
    - *Discovery URL*
    - *Scopes*
    - *Group Attribute Name*
    - *JWS Algorithm*
4. Click **Add**.



 


 

---

## Configuring Okta as an Identity Provider in Nirmata




## Prerequisites

- Administrative access to your Okta organization account or Okta App Integration
- Administrative access to Nirmata account 

## Configuration Steps

### 1. Create a New Application in Okta

1. Log in to your Okta Admin Console.
2. In the left sidebar, navigate to **Applications > Applications**.
3. Click **Create Application Integration**.
4. Select **OIDC**.
5. Choose **Web Application** as the platform.
6. Click **Create**.

### 2. Configure Application Settings

1. In the application settings, fill in the following:
   - **App integration name**: (e.g., Nirmata app)
   - **Application type**: Web
   - **Grant type configuration:**
     - Under **Grant type**:
       - Check **Client Credentials** (under "Client acting on behalf of itself").
       - Under **Core grants**, check **Authorization Code**. (Leave **Refresh Token** unchecked unless your use case requires it.)
       - Expand **Advanced**:
         - Leave all **Okta direct auth API grants** (OTP, OOB, MFA OTP, MFA OOB) unchecked.
         - Under **Other grants**, check **Implicit (hybrid)**.
           - Check both **Allow ID Token with implicit grant type** and **Allow Access Token with implicit grant type**.
   - **Login redirect URIs**: 
     - **Sign-in redirect URIs**  `https://<nirmata-domain>/security/api/oidc/callback/`
   - **Sign-out redirect URIs**  `https://<nirmata-domain>/security/api/oidc/logout/`

Click on **Save**

Navigate back to the Application created for the following configurations: 
   - **Proof Key for Code Exchange (PKCE)**: **Uncheck** (Require PKCE as additional verification)
   - Copy the **Client ID** and **Client secret** to configure in Nirmata


### 3. Navigate to Nirmata to Configure Okta OIDC

In Nirmata, go to the OIDC settings by Navigating to **Identity and Access**  --> **OIDC** and enter the following details (as shown in your Okta app):

- **Name:**  
  Enter a descriptive name for this OIDC configuration (e.g., `okta`).

- **Client ID:**  
  Copy the Client ID from your Okta application.

- **Secret:**  
  Copy the Client Secret from your Okta application.

- **Discovery URI:**  
  Use the full OpenID Connect discovery endpoint from Okta, e.g.:  
  `https://<okta-domain>>/oauth2/default/.well-known/openid-configuration`

- **Scopes:**  
  Enter: `openid email profile`

- **Groups Attribute Name:**  
  Leave blank unless you are mapping groups.

- **JWS Algorithm:**  
  Select or enter: `RS256`

After entering these values, click **Save** in Nirmata.

**Note:**  
- Ensure that the redirect URIs in Okta match those configured in Nirmata.
- If you encounter errors, double-check that all values (especially Discovery URI and Client Secret) are correct and up to date.




## Troubleshooting

#### Error: `idx.error.code.no_matching_policy` (Seen in Okta Admin Console)
- **Message:** "You are not allowed to access this app. To request access, contact an admin."
- **Solution:**
  - In the Okta Admin Console, navigate to **Security > API > Authorization Servers**.
  - Select your authorization server (e.g., "default").
  - Go to the **Access Policies** tab.
  - Click **Add New Access Policy** or edit an existing one.
  - Add a rule with the following settings:
    - **Grant type**: Enable **Authorization Code** and any other required grants.
    - **User is**: Any user assigned the app (or as per your requirements).
    - **Scopes requested**: Any scopes (or specify as needed).
    - **Access token lifetime**: Set as required (e.g., 1 hour).
    - **Refresh token lifetime**: Set as required (e.g., 90 days).
  - Save the rule.

#### Error: PKCE Code Verifier Required (Seen in Nirmata UI)
- **Message:** "Sign in failed (400 - OIDC error: Bad token response, error=invalid_request, description=PKCE code verifier is required by the application.)"
- **Solution:** In the Okta app's General settings, uncheck **Require PKCE as additional verification** under Proof Key for Code Exchange (PKCE).

#### Error: No JWS Algorithm Supported (Seen in Nirmata UI)
- **Message:** "Sign in failed (400 - OIDC error: There must at least one JWS algorithm supported on the OpenID Connect provider side)."
- **Solution:** In your application's OIDC configuration, use the full OpenID Connect Discovery URI from Okta (not just the OIDC endpoint). Example: `https://admin-nirmata.okta.com/oauth2/default/.well-known/openid-configuration`.


---

## Configuring Keycloak as an Identity Provider


## Prerequisites

Before proceeding, ensure:
- You have admin access to your Keycloak instance.
- Nirmata Control Hub is accessible and you have Admin access.

---

## Step 1: Create a New Realm (Optional)

If you're using Keycloak for multiple applications, it’s recommended to isolate Nirmata authentication:

1. Log in to the Keycloak Admin Console.
2. From the top-left dropdown, click **"Add Realm"**.
3. Name it `nirmata-realm` (or a name of your choice).

---

## Step 2: Register Nirmata as a Client

1. In the Keycloak Admin Console, go to **Clients**.
2. Click **"Create"**.
3. Enter the following details:
   - **Client ID**: `nirmata`
   - **Client Protocol**: `openid-connect`
4. Click **Next**.

### Capability Config:
- Enable **Client Authentication**
- Enable the following flows:
  - Standard Flow
  - Direct Access Grants
  - Implicit Flow

Click **Next**.

### Login Settings:
- **Valid Redirect URIs**:  
  `https://<nirmata-host>/security/api/oidc/callback/*`
- **Valid Post Logout Redirect URIs**:  
  `https://<nirmata-host>/security/api/oidc/logout/*`
- Leave the other fields with default values.

Click **Save**.

### Advanced Settings:
1. Navigate to the **nirmata** client settings.
2. Expand the **Advanced Settings** section.
3. Set **Proof Key for Code Exchange (PKCE) Code Challenge Method** to `S256`.
4. Click **Save**.

---

## Step 3: Retrieve Credentials for Nirmata

To connect Nirmata to Keycloak, note the following:

- **Client ID**: `nirmata`
- **Client Secret**:
  - Go to **Clients > nirmata > Credentials** tab.
  - Copy the **Secret**.

- **Discovery URI** format:  
  `https://<keycloak-host>/realms/<realm-name>/.well-known/openid-configuration`  
  Example:  
  `https://keycloak.example.com/realms/nirmata-realm/.well-known/openid-configuration`

---

## Step 4: Configure in Nirmata Control Hub

1. Log into Nirmata Control Hub as an Admin.
2. Navigate to **Identity & Access > OIDC**.
3. Click **"Add Provider"** and select **OIDC**.
4. Fill in the fields:
   - **Name**: `Keycloak`
   - **Client ID**: `nirmata`
   - **Client Secret**: (paste from step 3)
   - **Discovery URI**: (paste the URI from step 3)
   - **Scopes**: `openid profile email`
5. Click **Save**.

---

## Step 5: Test Authentication

1. In the OIDC configuration page, locate and click the **Initiate Login URL**.
2. You will be redirected to Keycloak's login page.
3. Log in using a user account from the configured realm.
4. Upon successful login, you will be redirected back to Nirmata and authenticated.

If authentication completes successfully, your integration is now complete.