Finna has support for OpenID Connect that allows third parties to request user authorization while giving the user control over the process. The user can see what information is being requested and grant or deny the request case by case.

See OpenID Connect Primer for an introduction into OIDC and how the process works.

For an example of a service using OpenID Connect with Finna, see the Prenax e-journal service of PIKI Libraries.

Instructions and Guidelines

  • Please contact [email protected] first.
  • The service is only available on agreement.
  • Make sure to request only the bare minimum of information you need for required functionality. For instance if you need to know user's age, use the age scope instead of birthdate.
  • Please note that Finna consists of different instances for specific audiences. To limit the eligible user accounts, use the OIDC provider of a specific instance instead of
  • Server's keys are available at /OAuth2/jwks (e.g.
  • Authorization endpoint is /OAuth2/Authorize
  • Token endpoint is /OAuth2/Token
  • User information endpoint is /OAuth2/UserInfo

Required Information

To use OIDC with Finna, we will need the following information about the client:

IdentifierSomething that properly identifies the client instance. If the service has a single URL for all audiences, it could be just the service name. Otherwise it should include the target audience. Could also be just a random string.




Redirect URIA URL of the client where the user's browser is redirected after authorizationhttps://coolservice/oauth2/result
PKCE supportWhether the client supports PKCE. PKCE is mandatory for non-confidential clients (e.g. in-browser apps)yes/no
ConfidentialityCan the client keep its secrets (runs on a server, is confidential) or not (runs in a browser, is not confidential)yes/no
Shared SecretA password shared between Finna and the client. This needs to be communicated securely.ieUmLbwlya1kJLEZgc.ePNTEXuRlhWSgRVS03eyFQUawlzAQg22

Supported functionality

Finna supports the authorization code flow.

The following scopes are available in addition to the standard scopes openid, profile, email, address and phone defined by the OIDC specification:

idUser's unique identifier in Finna
nameUser's name (full name, first name, last name)
ageUser's age calculated from birthdate (see below)
birthdateUser's birthdate returned by a library for a library card
localeUser's current language
block_statusWhether the user has blocks (e.g. a borrowing block) placed for their library card. Possible values are true (blocks set), false (no blocks) or null (status unknown)
library_user_idA unique one-way hash of user's identifier in the library system
library_cardUser's library card number
auth_methodUser's primary authentication method

Further Information

  • Details on the implementation can be found in the VuFind wiki.
  • No labels