Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • Please contact [email protected] first.
  • The service is only available on agreement.
  • Make sure to request only the bare minimum of information you need for required functionality. For instance if you need to know user's age, use the age scope instead of birthdate.
  • Please note that Finna consists of different instances for specific audiences. To limit the eligible user accounts, use the OIDC provider of a specific instance instead of
  • Server's keys are available at /OAuth2/jwks (e.g.
  • Authorization endpoint is /OAuth2/Authorize
  • Token endpoint is /OAuth2/Token
  • User information endpoint is /OAuth2/UserInfo

Required Information

To use OIDC with Finna, we will need the following information about the client:

IdentifierSomething that properly identifies the client instance. If the service has a single URL for all audiences, it could be just the service name. Otherwise it should include the target audience. Could also be just a random string.




Redirect URIA URL of the client where the user's browser is redirected after authorizationhttps://coolservice/oauth2/result
PKCE supportWhether the client supports PKCE. PKCE is mandatory for non-confidential clients (e.g. in-browser apps)yes/no
ConfidentialityCan the client keep its secrets (runs on a server, is confidential) or not (runs in a browser, is not confidential)yes/no
Shared SecretA password shared between Finna and the client. This needs to be communicated securely.ieUmLbwlya1kJLEZgc.ePNTEXuRlhWSgRVS03eyFQUawlzAQg22

Supported functionality

Finna supports the authorization code flow.