# OpenID Connect

{% hint style="info" %}
*Every SSO provider is a little bit different. Please* [*contact us*](mailto:hello@appetize.io) *with any questions!*
{% endhint %}

## Check authorization server groups scope

Check the "scopes" configuration of your authorization server, and verify there is a scope called `groups`. If not, add a scope named `groups`.

<figure><img src="/files/242uYTMcTqwKGzi5NR7X" alt=""><figcaption><p>OKTA add groups scope example. In Security -> API -> Authorization servers -> Choose Server -> Scopes</p></figcaption></figure>

## Create a new application

<figure><img src="/files/MffjjI9yPWxN4Xgv9Gal" alt="Example creating new &#x22;Web&#x22; application in OKTA"><figcaption><p>Example creating new "Web" application in OKTA</p></figcaption></figure>

## Configure app settings

| Field               | Value                         |
| ------------------- | ----------------------------- |
| Allowed grant types | Authorization Code            |
| Login redirect URIs | TBD - provided by Appetize.io |
| Initiate login URI  | TBD - provided by Appetize.io |

<figure><img src="/files/lNGeJbKugiBcjngjk2XC" alt="Example app settings in OKTA"><figcaption><p>Example app settings in OKTA</p></figcaption></figure>

### Add group assignments to claims

We will need to configure your SSO provider to send over the user's groups assignments after a successful login.

The following example shows how to pass through groups with prefix appetize\_\* as a groups claim within OKTA. This can be done by adding the groups claim to your authorization server at API -> Authorization Servers. For some OKTA clients, this can also be done under the "Sign On" section in your app's configuration, where you can add groups the same way.

<figure><img src="/files/K6XGDamteqz21sCGnWLK" alt="Example including appetize_* group assignments claim in OKTA"><figcaption><p>Example including appetize_* group assignments claim in OKTA</p></figcaption></figure>

## **Information to provide to Appetize**

1\. We will need the "**Client ID**" and "**Client secret**" for the app you just created.

<figure><img src="/files/UArbzZD0h6u5do0DoIO1" alt="Example Credentials to provide to Appetize.io"><figcaption><p>Credentials to provide to Appetize.io</p></figcaption></figure>

2\. We will also need your **Metadata URI**, often called "Discovery URL". For example: <https://dev-548472.oktapreview.com/oauth2/default/.well-known/oauth-authorization-server>

In OKTA, this is available in Security -> API -> Authorization servers -> Choose Server.

If the metadata endpoint is not available, you may also specify the required fields below:

* **authorization\_endpoint**
* **token\_endpoint**
* **userinfo\_endpoint**
* **jwks\_uri**
* **issuer**
* **introspection\_endpoint**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.appetize.io/account/single-sign-on/openid-connect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.