Skip to main content

Third-party app (OAuth / OIDC)

Logto's third-party application integration enables you to leverage Logto as an Identity Provider (IdP) for external applications.

An Identity Provider (IdP) is a service that verifies user identities and manages their login credentials. After confirming a user's identity, the IdP generates authentication tokens or assertions and allows the user to access various applications or services without needing to log in again.

Unlike the applications you created in the Integrate Logto into your application guide that are developed and fully controlled by you, third-party applications are independent services developed by external developers or business partners.

This integration approach is well-suited for common business scenarios. You can enable users to access partner applications using their Logto accounts, just like how enterprise users sign in to Slack with Google Workspace. You can also build an open platform where third-party applications can add "Sign in with Logto" functionality, similar to "Sign in with Google."

Logto is an identity service built on the OpenID Connect (OIDC) protocol, providing both authentication and authorization capabilities. This make integrating an OIDC third-party app as straightforward as traditional web application.

Thus due to OIDC builds upon OAuth 2.0 adding an authentication layer, you can also integrate third-party app using OAuth protocol.

Create a third-party application in Logto

  1. Go to Console > Applications.
  2. Click on the "Create application" button. Select "Third-party app" as the application type and choose one of the following integration protocols:
    • OIDC / OAuth
  3. Select an application type based on the third-party application's type:
    • Traditional Web: Server-rendered applications (e.g., Node.js, PHP, Java) that can securely store a client secret on the backend.
    • Single Page App (SPA): Client-side rendered applications (e.g., React, Vue, Angular) that run entirely in the browser and cannot securely store secrets.
    • Native: Mobile or desktop applications (e.g., iOS, Android, Electron) that run on user devices.
  4. Enter a name and description for your application and click on the "Create" button. A new third-party application will be created.

All created third-party applications will be catalogued on the Applications page under the "Third-party apps" tab. This arrangement helps you distinguish them from your own applications, making it easier to manage all your applications in one place.

Integration guide

Find the application configurations

On the application details page, you can find the Client ID, Client secret (for traditional web apps only), and OIDC endpoints needed for integration.

If the third-party service supports OIDC discovery, simply provide the Discovery endpoint. Otherwise, click Show endpoint details to view all endpoints including authorization endpoint and token endpoint.

Integrate with services that support third-party IdP

If you're connecting a service or product that natively supports external identity provider configuration (e.g., enterprise SaaS platforms, collaboration tools), the setup is straightforward:

  1. Open the service's IdP or SSO configuration page.
  2. Copy the Client ID (and Client secret if required) from Logto and paste them into the service's configuration.
  3. Provide the Discovery endpoint if the service supports OIDC auto-discovery, or manually copy the Authorization endpoint and Token endpoint.
  4. Copy the Redirect URI from the service's configuration page and add it to your Logto application's allowed redirect URIs.
  5. Configure the scopes if the service allows. Since Logto is an OIDC provider, include the openid scope if you need to authenticate users (grants access to an ID token and the UserInfo endpoint). The openid scope is optional if you only need OAuth resource access.

The service will handle the OAuth / OIDC flow automatically once configured.

Integrate via OAuth / OIDC protocol

If a third-party application needs to integrate with Logto as an IdP programmatically, it should implement the standard Authorization Code Flow. We recommend using an OAuth 2.0 / OIDC client library for your programming language to handle the implementation.

Traditional web applications are confidential clients that can securely store a client secret on the backend server. See Authorization Code Flow for full implementation details.

Key steps:

  1. Initiate authorization: Redirect user to Logto's authorization endpoint with client_id, redirect_uri, response_type=code, and scope.
  2. Handle callback: Receive the authorization code from the redirect.
  3. Exchange tokens: From your backend, POST to token endpoint with the code, client_id, and client_secret.

For security reasons, all the OIDC third-party applications will be redirected to a consent screen for user authorization after they are authenticated by Logto.

All the third-party requested user profile permissions, API resource scopes, organization permissions, and organization membership information will be displayed on the consent screen.

These requested permissions will be granted to the third-party applications only after the user clicks on the "Authorize" button.

consent screen

Further actions

FAQs

Logto uses Role-Based Access Control (RBAC) to manage user permissions. On the consent screen, only scopes (permissions) already assigned to the user—through their roles—will be displayed. If a third-party app requests scopes the user doesn’t have, those will be excluded to prevent unauthorized consent.

To manage this:

  • Define global roles or organization roles with specific scopes.
  • Assign roles to users based on their access needs.
  • Users will inherit scopes from their roles automatically.

Use case: Integrate Apache Answer to launch a community for your users

Using Logto as an third-party identity provider (IdP)