TryMellon
Navigation

OpenID Connect integration

tryMellon as an OIDC provider — discovery, JWT validation, framework examples.

OpenID Connect integration

tryMellon implements the OIDC Discovery 1.0 + RFC 8414 metadata subset. Any OIDC-compliant client library can consume tryMellon by pointing at the issuer.

Discovery

GET https://api.trymellonauth.com/.well-known/openid-configuration

Relevant fields in the response:

{
  "issuer": "https://api.trymellonauth.com",
  "jwks_uri": "https://api.trymellonauth.com/.well-known/jwks.json",
  "token_endpoint": "https://api.trymellonauth.com/oauth/token",
  "introspection_endpoint": "https://api.trymellonauth.com/oauth/introspect",
  "id_token_signing_alg_values_supported": ["RS256"],
  "grant_types_supported": ["client_credentials"],
  "token_endpoint_auth_methods_supported": ["client_secret_basic"]
}

Most libraries only need the issuer URL — they fetch the rest themselves.

Node.js — passport-openidconnect

import OpenIDConnectStrategy from 'passport-openidconnect';

passport.use(new OpenIDConnectStrategy({
  issuer: 'https://api.trymellonauth.com',
  clientID: process.env.TRYMELLON_CLIENT_ID!,
  clientSecret: process.env.TRYMELLON_CLIENT_SECRET!,
  callbackURL: 'https://app.example.com/auth/callback',
  scope: ['openid'],
}, (issuer, profile, done) => done(null, profile)));

Spring Security (Java)

# application.yml
spring:
  security:
    oauth2:
      client:
        provider:
          trymellon:
            issuer-uri: https://api.trymellonauth.com
        registration:
          trymellon:
            client-id: ${TRYMELLON_CLIENT_ID}
            client-secret: ${TRYMELLON_CLIENT_SECRET}
            scope: openid

Spring auto-fetches the discovery document at startup and validates iss / aud per request.

Laravel Socialite (PHP)

// config/services.php
'trymellon' => [
    'client_id' => env('TRYMELLON_CLIENT_ID'),
    'client_secret' => env('TRYMELLON_CLIENT_SECRET'),
    'redirect' => env('TRYMELLON_REDIRECT'),
    'base_url' => 'https://api.trymellonauth.com',
],

Use socialiteproviders/manager with a generic OIDC provider pointed at base_url.

Rails — omniauth_openid_connect

# config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :openid_connect, {
    name: :trymellon,
    issuer: 'https://api.trymellonauth.com',
    discovery: true,
    client_options: {
      identifier: ENV.fetch('TRYMELLON_CLIENT_ID'),
      secret: ENV.fetch('TRYMELLON_CLIENT_SECRET'),
      redirect_uri: 'https://app.example.com/auth/trymellon/callback',
    },
  }
end

Validating ID tokens

If you handle JWT validation yourself instead of going through a library, see Verify JWT offline.

Troubleshooting

ErrorCauseFix
iss mismatchLibrary expects exact issuer match.Use https://api.trymellonauth.com (no trailing slash).
discovery failedNetwork or wrong URL.Confirm curl https://api.trymellonauth.com/.well-known/openid-configuration returns 200.
Library expects authorization_endpointtryMellon is currently client_credentials-only; no auth-code flow.Use the SDK for user auth; OIDC is for service-to-service token validation.