Last updated 7 July 2016. Created on 26 May 2014.
Edited by nileshlohar, Madrugada, bojanz. Log in to edit this page.

This is a documentation page for the OpenID Connect module.

The OpenID Connect module provides a pluggable client implementation for the OpenID Connect protocol.

What is OpenID Connect?

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
protocol. It allows Clients to verify the identity of the End-User based on
the authentication performed by an Authorization Server, as well as to obtain
basic profile information about the End-User in an interoperable and REST-like

What does the module do?

The module allows you to use an external OpenID Connect login provider to
authenticate and log in users on your site. If a user signs in with a login
provider for the first time on the website, a new Drupal user will be created.

Google for instance uses this protocol for all its services. Check out the
OpenID Foundation's announcement of launching OpenID Connect

Supported login providers

Each login provider needs a client, represented by a ctools plugin, located in plugins/openid_connect_client/.
The module ships with two clients: Google and Generic.

The generic client allows to you specify the endpoints and is used primarily to login to Drupal sites powered by oauth2_server or PHP sites powered by oauth2-server-php.

Login with Google

In order to use Google as a login provider, you must register your client site at the Google Developers Console:

  • Google has to be able to ping your client site's host when you are defining
    the URLs. If you don't have your site deployed yet, you can use any existing
    hostname (e.g. and point it to your local installation in your
    local webserver's hosts file.
  • Use as the authorized redirect URL (where is your site's base path).
  • Select 'APIs' from the side menu, and enable the following two APIs: Google+ API and Identity Toolkit API.
  • Select 'Credentials' from the side menu, and from the 'OAuth' section choose 'Create a new client ID'
  • Use the client ID and client secret when configuring your client (covered later in this document).

Client configuration

Configuration options are available at admin/config/services/openid-connect.
You can enable clients for login providers and configure their client ID and
client secret which are necessary credentials for authenticating with an OAuth2

Fetching user profile information

Basic user profile information stored by the login provider can be fetched upon
login. There are plans to extend this, so that fetching this information will be
triggered by other actions too.
The OpenID Connect specification defines a set of standard Claims
( Requested
user profile information can be saved on the client site, mapping can be
configured with the configuration UI at `admin/config/services/openid-connect`.
Fields which have an instance attached to the user entity are exposed as well as
some of the user properties. You can choose a standard Claim for each field or
property, but there is no guarantee that the server supports the scope that is
needed for a particular Claim, or that the server has the claimed information.
Please note that in case the server doesn't support a requested scope (based on
a selected Claim), it will response with an error. Be sure to check which scopes
are supported by the login provider.
You can also decide whether the user's profile picture should be fetched from
the login provider. This option is available only if user pictures are enabled
on your site.

Hint: if you get an "EntityMetadataWrapperException: Invalid data value given.",
you most likely need to look into what data is retrieved, what format your fields
or properties expect, and override the retrieveUserInfo() method in your plugin
See OpenIDConnectClientGoogle.class.php for an example.

Sign in block

A standard Drupal block is available to sign in with the login providers for
which clients are enabled. A single button is shown for each login provider. You
can alter the form `openid_connect_login_form` with a regular form alter.


If a user account is created by this module while authenticating with a login
provider, the password field for that user is hidden. The password in fact is
set to an empty string (which will never be accepted, since it's hashed first
before checked against the database).

Looking for support? Visit the forums, or join #drupal-support in IRC.