Passwordless Login
The Passwordless Login extension enables organisations to offer passwordless login using digital credentials presented from an EUDI Wallet. It integrates seamlessly with existing OpenID Connect (OIDC) identity management systems.
How it works
- The organisation enables the Passwordless Login extension from the dashboard.
- An administrator creates one or more OIDC clients, each configured with a presentation definition, redirect URIs, and a callback endpoint.
- When a user initiates login, they are redirected to the OIDC authorization endpoint.
- The user presents the requested credential from their EUDI Wallet.
- The system verifies the credential and calls the configured callback URI with the presentation data.
- The callback endpoint returns the
sub(subject identifier) claim to match the user in the Identity Provider (IdP). - The user is redirected back to the application with an authorization code, completing the login flow.
OIDC discovery endpoints
Once the extension is enabled, the following OpenID Connect endpoints are available:
| Endpoint | Description |
|---|---|
Well-Known OIDC (/.well-known/openid-configuration) | OIDC discovery document |
| Authorization Endpoint | Redirects users to present credentials from their wallet |
| Token Endpoint | Secure server-to-server token exchange |
| User Info Endpoint | Returns authenticated user profile information |
OIDC client configuration
Each OIDC client connects to your Identity Provider and defines how credential-based login is handled.
Client fields
| Field | Required | Description |
|---|---|---|
| Client Name | Yes | A descriptive name for the client |
| Presentation Definition | Yes | Select which credentials to verify during login |
| Redirect URIs | No | URLs where users are redirected after login |
| Web Origins | No | Allowed CORS origins for browser-based flows |
| Callback URI | Yes | HTTPS endpoint that receives the credential presentation |
| Callback Secret | Yes | HMAC-SHA256 secret used to sign callback payloads |
Callback endpoint requirements
The configured Callback URI must:
- Accept the credential presentation payload signed with the Callback Secret using HMAC-SHA256.
- Return a JSON response containing the
sub(subject identifier) claim that maps the presented credential to a user in your IdP.
Client management
From the dashboard, administrators can:
- Create new OIDC clients
- View and copy client credentials (Client ID and Client Secret)
- Edit client configuration
- Delete clients (with confirmation)
- View the associated presentation definition
API endpoints:
GET /v3/config/extension/oidc/clients- List all OIDC clientsPOST /v3/config/extension/oidc/client- Create a new clientPUT /v3/config/extension/oidc/client/{clientId}- Update a clientDELETE /v3/config/extension/oidc/client/{clientId}- Delete a clientGET /v3/service/extension/oidc/{organisationId}/.well-known/openid-configuration- OIDC discovery
Keycloak integration guide
For a step-by-step guide on configuring Keycloak as a relying party with this extension, including Identity Provider setup, attribute mappers, custom authentication flows, and a sample React implementation, see the Passwordless Login with EUDI Wallets guide.
Disabling the Passwordless Login extension deletes all OIDC clients and their configuration. This action is not reversible.