OIDC Authentication

Use OIDC auth when your identity provider issues access tokens and Zerq should validate them against issuer and audience settings.

What this method does

• Authorization: Bearer <oidc_access_token>
• X-Client-ID
• X-Profile-ID

When to use

• Enterprise SSO / IdP-managed identity architecture
• Centralized token governance and rotation
• Teams needing issuer/audience-based trust controls

How to configure

1. Set profile auth type to oidc.
2. Configure issuer, audience, and JWKS validation settings.
3. Confirm role/scope expectations for caller tokens.
4. Bind profile to collections and policies, then publish.

Example

curl -i https://gateway.example.com/orders/123 \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Client-ID: acme-mobile" \
  -H "X-Profile-ID: partner-prod" \
  -H "Accept: application/json"

Verify

1. Token from configured issuer/audience -> 200.
2. Wrong issuer/audience -> 401.
3. Valid token with wrong profile binding -> 403.
4. Burst traffic above policy -> 429.

Troubleshoot

• 401 on every request: issuer/audience/JWKS mismatch.
• Intermittent 401: token expiry/clock skew.
• 403: profile scope or policy constraints block access.

Related docs

• Access Control Overview
• Profiles
• JWT Authentication
• Request Logs