--- title: Sign in with a third-party identity provider description: Add Sign in with Shop to a third-party identity provider using OpenID Connect. source_url: html: https://shopify.dev/docs/api/shop/guides/use-cases/external-login-page md: https://shopify.dev/docs/api/shop/guides/use-cases/external-login-page.md --- # Sign in with a third-party identity provider Sign in with Shop provides a secure way for users with existing Shop accounts to authenticate on your platform. Use OpenID Connect (OIDC) to connect Shop to a third-party identity platform, such as Auth0, Ping Identity, AWS Cognito, or another OIDC-compatible provider. This guide is for external login pages hosted by a third-party identity provider. If you host your own login page, then follow [Sign in with Shop](https://shopify.dev/docs/api/shop/guides/use-cases/sign-in) instead. **Developer preview:** The Shop platform is in early access. Features and APIs might change before general availability. *** ## What you'll learn In this guide, you'll learn how to: * Create a Shop app in the Dev Dashboard and get credentials. * Configure OIDC endpoints and scopes in a third-party identity platform. * Apply provider-specific settings for Auth0, Ping Identity, AWS Cognito, and other OIDC-compatible providers. * Verify that your identity provider can complete the Sign in with Shop flow. *** ## Requirements * A [Shop app](https://shopify.dev/docs/api/shop/guides/creating-a-client) with a client ID and client secret. * A third-party identity platform, such as Auth0, Ping Identity, AWS Cognito, or another OIDC-compatible provider. * Admin access to configure your third-party identity platform. * The callback URL from your identity provider. * Familiarity with [OpenID Connect](https://openid.net/connect/) and the authentication flow you're implementing. *** ## Step 1: Create and configure your app Create a Shop app in the Dev Dashboard to get the credentials that your identity provider uses. The app's redirect URLs must include the callback URL from your identity provider. 1. Follow [Create an app](https://shopify.dev/docs/api/shop/guides/creating-a-client) to create a Shop app and release a version. 2. In the app's redirect URLs, add the callback URL from your identity provider, such as Auth0, Ping Identity, or AWS Cognito. Refer to your provider's documentation for the callback URL format. 3. Copy your client ID and client secret from the app's **Settings** page. Use the client ID as the OIDC client ID in your identity provider. Keep the client secret server-side. Don't expose the client secret in browser code, analytics, or logs. *** ## Step 2: Configure your identity provider Add Shop as an OIDC provider in your identity platform. ### Auth0 Go to the [Sign in with Shop listing on the Auth0 Marketplace](https://marketplace.auth0.com/integrations/shop), click **Add Integration**, and follow the installation guide. The Auth0 integration adds the Sign in with Shop option to Auth0 Universal Login, so you don't need to build your own button for that flow. ### Other platforms For Ping Identity, AWS Cognito, or another OIDC-compatible provider, follow your provider's instructions to add a social login or custom OIDC connection. 1. Enter the client ID and client secret from your Shop app. 2. Configure the following OIDC endpoints: | Endpoint | URL | | - | - | | Issuer | `https://accounts.shop.app` | | Discovery | `https://accounts.shop.app/.well-known/openid-configuration` | | Authorization | `https://accounts.shop.app/oauth/authorize` | | Token | `https://accounts.shop.app/oauth/token` | | UserInfo | `https://accounts.shop.app/oauth/userinfo` | | JWKS | `https://accounts.shop.app/auth/jwks` | If your provider supports OIDC discovery, then you can use the discovery URL instead of entering each endpoint manually. 3. Set the required scopes to `openid email`. Add `profile` only if your flow needs the user's name and picture. 4. Enable Proof Key for Code Exchange (PKCE) with the `S256` code challenge method. 5. Add Sign in with Shop to your identity platform's login page or template. *** ## Step 3: Apply provider-specific settings Some identity providers need extra configuration to return the claims that your app expects. ### Ping Identity When you create the custom OIDC connection in Ping Identity, map the email attribute: * `Email Address` to `providerAttributes.email`. Add the following application attribute mappings: * `sub` to `User ID`. * `email` to `Email Address`. * `email_verified` to a source attribute or expression that reflects whether the user verified the email address, such as `$(user.emailVerified == true)`. Don't hardcode `email_verified` to `true` unless your identity provider guarantees verified email ownership outside the Sign in with Shop flow. ### AWS Cognito When you add the OIDC identity provider, select **Email** as the required sign-in identifier and attribute. ### Other providers Follow your provider's documentation for creating a custom OIDC integration. Confirm that you've configured the endpoints, scopes, callback URL, and required claims before you release the connection. *** ## Step 4: Verify the authentication flow After you configure your identity provider, test the flow from the hosted login page. 1. Start sign-in from your identity provider's login page. 2. Confirm that the flow redirects to Shop and then back to your provider's callback URL. 3. Confirm that the ID token or user info response includes the claims that your app needs, such as `sub`, `email`, and `email_verified`. 4. Confirm that your app creates or updates the user's session after the provider completes the OIDC flow. *** ## Next steps * If you host your own login page, then add [Sign in with Shop](https://shopify.dev/docs/api/shop/guides/use-cases/sign-in) using the Shop SDK `login` feature. * Review the full [`login` feature reference](https://shopify.dev/docs/api/shop-sdk/reference/login) for SDK options that apply to self-hosted login pages. * Use the [lead capture](https://shopify.dev/docs/api/shop/guides/use-cases/lead-capture) feature to collect email addresses from users who aren't yet signed in. ***