Use Clerk as an OAuth 2 Provider
Use Clerk as an OAuth 2 Provider
Clerk can be configured as an identity provider to facilitate Single Sign-On (SSO) with other clients that support the OAuth 2.0 protocol. With this feature, your users can sign in with your Clerk application on other websites to authorize sharing of their user info.
Retrieve callback URL from the client application
Retrieve the Callback URL for the client application you want to configure. This is where your users will be redirected to after a successful authentication and is required to successfully create your OAuth application in the next step.
Create an OAuth application in Clerk
Next, you need to create an OAuth Application in Clerk via the Backend API by providing the Callback URL and a Name. Note that in this context the name is used to help you identify your application and is not displayed anywhere publicly.
To create an OAuth Application that uses the authorization code flow with proof of key exchange (PKCE), set public
to true
in the POST request body.
Clerk creates an OAuth application and returns it's configurations back to you.
Configure OAuth application in client
Now that you have set up an OAuth application in Clerk, you will need to configure these settings in your Client.
- Client ID: Public identifier of your OAuth application
- Client Secret: Confidential secret used to authenticate your OAuth application
- Authorization URL: Used by the Client to request authorization from your user
- Token URL: Used by the Client to retrieve access tokens
- Scopes: OAuth scopes used to grant access to the Client. Clerk supports
profile
,email
,public_metadata
, andprivate_metadata
. The metadata scopes ensure that the user info endpoint returns the user's public, private and unsafe metadata. - User Info URL: Used by the Client to retrieve the email address and profile (username, first and last name) associated to your user
Below is an example of a response from /oauth/userinfo
.
Frequently asked questions (FAQ)
How can the access tokens obtained from the Token URL be used?
Access tokens retrieved from the Token URL are used in the Authorization header when the OAuth2 client retrieves user information from the /oauth/userinfo
endpoint. They are not the same as Clerk's JWT session tokens.
When do the tokens expire?
Access tokens expire after 2 hours, and refresh tokens expire after 3 days.
Is OpenID Connect supported?
At this time, OIDC is not supported.
Feedback
Last updated on