Skip to main content
Connect any OpenID Connect (OIDC) compliant identity provider to authenticate end users with your Char agent. This guide covers the requirements and configuration for custom OIDC providers.

Prerequisites

  • An OIDC-compliant identity provider
  • Access to configure applications in your IDP
  • Your IDP’s OIDC discovery URL or issuer URL
  • Access to the Char dashboard

Supported Providers

Custom OIDC integration works with any provider that:
  • Supports OpenID Connect 1.0
  • Publishes a /.well-known/openid-configuration discovery document
  • Uses RS256, RS384, RS512, ES256, ES384, or ES512 for token signing
  • Provides a JWKS endpoint for public key retrieval
Examples of compatible providers include: Keycloak, PingFederate, OneLogin, JumpCloud, Duo, ForgeRock, Cognito, and many others.

SDK References

These generic OIDC libraries work with any compliant identity provider:

oidc-client-ts

TypeScript OIDC client library

react-oidc-context

React context for OIDC authentication

OIDC Requirements

Your identity provider must support these OIDC features:
FeatureRequirement
Discovery document/.well-known/openid-configuration endpoint
JWKS endpointPublished in discovery document
Token signingRS256, RS384, RS512, ES256, ES384, or ES512
ID tokensMust include sub, iss, aud, exp claims
HTTPSIssuer URL must use HTTPS

Configuration Steps

1

Locate Your Issuer URL

Find your OIDC provider’s issuer URL. This is typically in your IDP’s documentation or settings.Common patterns:
  • https://idp.yourcompany.com
  • https://auth.yourcompany.com/realms/main
  • https://yourcompany.onelogin.com/oidc/2
The issuer URL should have a discovery document at {issuer}/.well-known/openid-configuration.
2

Verify Discovery Document

Test that your discovery document is accessible:
curl https://your-issuer-url/.well-known/openid-configuration | jq
The response should include at minimum:
{
  "issuer": "https://your-issuer-url",
  "jwks_uri": "https://your-issuer-url/.well-known/jwks.json",
  "authorization_endpoint": "https://your-issuer-url/authorize",
  "token_endpoint": "https://your-issuer-url/token",
  "id_token_signing_alg_values_supported": ["RS256"]
}
3

Create an OIDC Application

In your identity provider, create a new application/client:
  1. Select OIDC or OpenID Connect as the protocol
  2. Select Single-Page Application or Public Client as the type
  3. Configure redirect URIs for your application
  4. Enable the openid, profile, and email scopes
  5. Note the Client ID assigned to your application
4

Configure Char

In the Char Dashboard:
  1. Navigate to SettingsIntegration
  2. Under SSO Configuration, select Custom OIDC as the provider
  3. Enter your Client ID from Step 3
  4. Enter your Issuer URL (e.g., https://idp.yourcompany.com)
  5. Click Test Connection to verify
  6. Click Save Changes

Configuration Reference

Char FieldDescriptionExample
Provider TypeCustom OIDCcustom_oidc
Client IDYour OIDC application’s client IDchar-ai-agent
Issuer URLFull OIDC issuer URL (HTTPS required)https://idp.yourcompany.com
The issuer URL must use HTTPS. HTTP issuers are rejected for security reasons.

Token Requirements

Char validates custom OIDC tokens with these requirements:
ClaimRequirement
issMust exactly match your configured issuer URL
audMust include your configured Client ID
subRequired - used as the user identifier
expMust not be expired

Example: Keycloak Integration

1

Create a Client in Keycloak

  1. Go to your Keycloak Admin Console
  2. Select your realm
  3. Navigate to ClientsCreate
  4. Configure:
SettingValue
Client IDchar-ai-agent
Client Protocolopenid-connect
Access Typepublic
Valid Redirect URIsYour app URLs
Web OriginsYour app origins
2

Configure Char

Use these values:
  • Issuer URL: https://keycloak.yourcompany.com/realms/{realm-name}
  • Client ID: char-ai-agent
import Keycloak from 'keycloak-js';
import "@mcp-b/char/web-component";

const CLIENT_ID = 'char-ai-agent';

const keycloak = new Keycloak({
  url: 'https://keycloak.yourcompany.com',
  realm: 'your-realm',
  clientId: CLIENT_ID,
});

await keycloak.init({ onLoad: 'login-required' });

if (keycloak.authenticated) {
  const agent =
    document.querySelector("char-agent") ?? document.createElement("char-agent");

  if (!agent.isConnected) {
    document.body.appendChild(agent);
  }

  agent.connect({ idToken: keycloak.idToken, clientId: CLIENT_ID });
}

Example: AWS Cognito Integration

1

Create a User Pool App Client

  1. Go to AWS Cognito Console
  2. Select your User Pool
  3. Navigate to App integrationApp clients
  4. Create a new app client (public client, no secret)
  5. Note the Client ID
2

Find Your Issuer URL

The Cognito issuer URL format is:
https://cognito-idp.{region}.amazonaws.com/{user-pool-id}
3

Configure Char

  • Issuer URL: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXXXXX
  • Client ID: Your Cognito app client ID
import { CognitoUserPool, CognitoUser, AuthenticationDetails } from 'amazon-cognito-identity-js';
import "@mcp-b/char/web-component";

const CLIENT_ID = 'your-client-id';

const userPool = new CognitoUserPool({
  UserPoolId: 'us-east-1_XXXXXXXXX',
  ClientId: CLIENT_ID,
});

// After authentication
const cognitoUser = userPool.getCurrentUser();
cognitoUser.getSession((err, session) => {
if (session.isValid()) {
    const agent =
      document.querySelector("char-agent") ?? document.createElement("char-agent");

    if (!agent.isConnected) {
      document.body.appendChild(agent);
    }

    agent.connect({
      idToken: session.getIdToken().getJwtToken(),
      clientId: CLIENT_ID,
    });
}
});

Example: OneLogin Integration

1

Create an OIDC Application

  1. Go to OneLogin Admin Portal
  2. Navigate to ApplicationsAdd App
  3. Search for “OpenId Connect” and select it
  4. Configure:
SettingValue
Display NameChar Agent
Redirect URIYour app callback URL
Token Endpoint AuthNone (PKCE)
2

Find Your Issuer URL

The OneLogin issuer URL format is:
https://{subdomain}.onelogin.com/oidc/2
3

Configure Char

  • Issuer URL: https://yourcompany.onelogin.com/oidc/2
  • Client ID: Your OneLogin app client ID

Troubleshooting

The token’s iss claim doesn’t match your configured issuer:
  • Verify the issuer URL exactly matches (including trailing slash if present)
  • Check your IDP’s discovery document for the exact issuer value
  • Some IDPs include a trailing slash - match it exactly
The token’s aud claim doesn’t match:
  • Verify the Client ID matches your IDP application exactly
  • Check if your IDP includes multiple audiences - your Client ID must be one of them
  • Ensure you’re using the ID token, not the access token
Char couldn’t fetch your IDP’s public keys:
  • Verify your issuer URL is correct
  • Ensure the /.well-known/openid-configuration endpoint is accessible
  • Check that the jwks_uri in the discovery document is accessible
  • Test connectivity: curl {issuer}/.well-known/openid-configuration
Your IDP is using an unsupported signing algorithm:
  • Char supports: RS256, RS384, RS512, ES256, ES384, ES512
  • Configure your IDP to use one of these algorithms
  • Symmetric algorithms (HS256, etc.) are not supported for security reasons
The key ID in your token doesn’t match any keys in the JWKS:
  • Your IDP may have rotated keys - wait for JWKS cache to refresh (1 hour)
  • Check that your IDP’s JWKS endpoint includes the current signing key
  • Verify the token is freshly issued, not from a cache

Security Considerations

Critical: Always configure Client ID for audience validation. Without it, tokens from other applications using the same IDP could be used to access your agent.
Additional security best practices:
  • Use HTTPS for all IDP endpoints (required)
  • Keep token lifetimes short (recommended: 1 hour or less)
  • Implement token refresh in your application for long sessions
  • Validate tokens server-side if additional security is needed
  • Monitor authentication logs in your IDP for anomalies

Testing Your Configuration

Use the Test Connection button in the Char dashboard to verify:
  1. The discovery document is accessible
  2. The issuer URL is valid
  3. The JWKS endpoint is reachable
For manual testing, you can verify the discovery document: 
# Fetch and inspect the discovery document
curl -s https://your-issuer-url/.well-known/openid-configuration | jq

# Verify JWKS endpoint
curl -s $(curl -s https://your-issuer-url/.well-known/openid-configuration | jq -r '.jwks_uri') | jq