OpenID ConnectSign in with NobleID
Let users authenticate with their NobleID account — just like “Sign in with Google”. Full OIDC-compliant, secure, and takes minutes to integrate.
How It Works
Standard OAuth 2.0 Authorization Code flow
1
User clicks button
Your site shows the NobleID sign-in button
2
Redirected to NobleID
User authenticates and approves scopes
3
Code returned
NobleID redirects back with an auth code
4
Exchange for tokens
Your server exchanges code for ID + access tokens
Button Preview & Themes
Customize the look of your sign-in button
Variants
Full • Compact ("NobleID") • Icon only (square) • Icon only (pill)
Themes
Icon-Only Themes
Sizes
Icon-Only Sizes
Shapes
Custom Labels
Interactive Builder
Quick Start
1Register Your Application
Go to your OAuth Apps dashboard and click “New App”. You'll receive a client_id and client_secret.
Client ID: nbl_cid_abc123...
Client Secret: nbl_cs_secret... (save securely!)
2Add the Sign-In Button
<!-- Include the SDK -->
<script src="https://www.nobleid.org/sdk/nobleid-auth.js"></script>
<!-- Container for the button -->
<div id="nobleid-signin"></div>
<script>
NobleID.renderButton("nobleid-signin", {
clientId: "nbl_cid_your_client_id",
redirectUri: "https://yourapp.com/auth/callback",
scope: "openid profile email",
theme: "dark",
size: "md",
shape: "rounded",
});
</script>3Handle the Callback
// Express.js callback handler
app.get("/auth/callback", async (req, res) => {
const { code, state } = req.query;
// 1. Verify state matches what you stored in session
if (state !== req.session.oauth_state) {
return res.status(403).send("Invalid state");
}
// 2. Exchange code for tokens
const tokenRes = await fetch(
"https://www.nobleid.org/api/v1/oauth/token",
{
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
grant_type: "authorization_code",
code,
redirect_uri: "https://yourapp.com/auth/callback",
client_id: process.env.NOBLEID_CLIENT_ID,
client_secret: process.env.NOBLEID_CLIENT_SECRET,
}),
}
);
const { access_token, id_token } = await tokenRes.json();
// 3. Get user info
const userRes = await fetch(
"https://www.nobleid.org/api/v1/oauth/userinfo",
{ headers: { Authorization: `Bearer ${access_token}` } }
);
const user = await userRes.json();
// user = { sub, name, username, email, picture, ... }
// 4. Create session in your app
req.session.user = user;
res.redirect("/dashboard");
});OIDC Endpoints
Standard OpenID Connect Discovery endpoints
| Endpoint | URL |
|---|---|
| Issuer | https://www.nobleid.org |
| Discovery | https://www.nobleid.org/.well-known/openid-configuration |
| Authorization | https://www.nobleid.org/oauth/authorize |
| Token | https://www.nobleid.org/api/v1/oauth/token |
| UserInfo | https://www.nobleid.org/api/v1/oauth/userinfo |
| JWKS | https://www.nobleid.org/.well-known/jwks.json |
Available Scopes
Request only the scopes your application needs
| Scope | Claims | Description |
|---|---|---|
openid | sub | Required. User's unique identifier |
profile | name, username, picture, orcid | Basic profile information |
email | email, email_verified | Verified email address |
nobleid:author:read | author_id, works_count | Author profile and works list |
nobleid:author:write | (write access) | Update author profile information |
nobleid:works:read | works | Registered works and metadata |
nobleid:receipts:read | receipts | Cryptographic registration receipts |
UserInfo Response
Example response from the /oauth/userinfo endpoint
{
"sub": "nobleid_user_abc123",
"name": "Dr. Jane Researcher",
"username": "janeresearcher",
"email": "jane@university.edu",
"email_verified": true,
"picture": "https://www.nobleid.org/avatars/abc123.jpg",
"orcid": "0000-0001-2345-6789",
"author_id": "author_abc123",
"works_count": 42,
"updated_at": 1704067200
}Security Best Practices
Do
- ✓ Always validate the
stateparameter - ✓ Store
client_secretserver-side only - ✓ Use HTTPS for all redirect URIs in production
- ✓ Verify the
id_tokensignature using JWKS - ✓ Check
nonceto prevent replay attacks - ✓ Rotate client secrets periodically
Don't
- ✗ Never expose client_secret in frontend code
- ✗ Never skip state validation
- ✗ Never use HTTP redirect URIs in production
- ✗ Never store tokens in localStorage (use httpOnly cookies)
- ✗ Never trust client-side token validation alone
Ready to integrate?
Register your application and start accepting NobleID sign-ins today.