OpenID Connect Provider

ReachFive is partially implemented as an OpenID Connect Provider (OICP). Although it does not implement fully the protocol, it still contains enough to integrate with other software expecting an OICP, such as Amazon Cognito.

In this context, ReachFive:

  • Provides the OAuth2 authorization and token endpoints,

  • Can return a JSON Web Token (JWT),

  • Provides the standard configuration for OpenID Connect Discovery (OICD).


Following the OICD specification, the configuration for OpenID Connect is accessible at http://YOUR_DOMAIN/.well-known/openid-configuration.

It contains all URLs relative to OpenID Connect, and technical information about the endpoints (supported claims, locales, grant types, etc.) One of the URLs in the .well-known configuration is the JSON Web Keys document - https://YOUR_DOMAIN/jwks.json - which contains the RSA public key of your account.

On an application client, you should specify which algorithm to use to sign the JWTs. The default value is HS256 (HMAC-SHA26). You can also use RS256 (RSA-SHA256). Most external tools will accept RS256. For complete information on the algorithms used, see the JSON Web Algorithms registry in RFC 7518.


The endpoints are defined in the JSON Web Keys document.

The scope openid is required to get an ID token.