---
title: "Use OpenID Connect as an authorization provider"
section: "build-a-backend/data/customize-authz"
platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
gen: 2
last-updated: "2024-06-19T16:13:00.000Z"
url: "https://docs.amplify.aws/react/build-a-backend/data/customize-authz/using-oidc-authorization-provider/"
---

Private, owner, and group authorization can be configured with an OpenID Connect (OIDC) authorization mode. Add `"oidc"` to the authorization rule as the provider. Use the `oidcAuthorizationMode` property to configure the *OpenID Connect provider name*, *OpenID Connect provider domain*, *Client ID*, *Issued at TTL*, and *Auth Time TTL*.

The example below highlights the supported authorization strategies with a `oidc` authorization provider. For owner and group-based authorization, you also will need to [specify a custom identity and group claim](/[platform]/build-a-backend/data/customize-authz/configure-custom-identity-and-group-claim).

```ts title="amplify/data/resource.ts"
// amplify/data/resource.ts
import { a, defineData, type ClientSchema } from '@aws-amplify/backend';

const schema = a.schema({
  Todo: a
    .model({
      content: a.string(),
    })
    .authorization(allow => [
      allow.owner('oidc').identityClaim('user_id'),
      allow.authenticated('oidc'),
      allow
        .groups(['testGroupName'], 'oidc')
        .withClaimIn('user_groups'),
    ]),
});

export type Schema = ClientSchema<typeof schema>;

export const data = defineData({
  schema,
  authorizationModes: {
    defaultAuthorizationMode: 'oidc',
    oidcAuthorizationMode: {
      oidcProviderName: 'oidc-provider-name',
      oidcIssuerUrl: 'https://example.com',
      clientId: 'client-id',
      tokenExpiryFromAuthInSeconds: 300,
      tokenExpireFromIssueInSeconds: 600,
    },
  },
});
```

<!-- Platform: javascript, angular, react-native, react, nextjs, vue, android, swift -->
In your application, you can perform CRUD operations against the model using `client.models.<model-name>` by specifying the `oidc` auth mode.

```ts
import { generateClient } from 'aws-amplify/data';
import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition

const client = generateClient<Schema>();

const { errors, data: todos } = await client.models.Todo.list({
  // highlight-start
  authMode: "oidc",
  // highlight-end
});
```
<!-- /Platform -->

<!-- Platform: flutter -->
In your application, you can perform CRUD operations against the model with the `oidc` auth mode.

```dart
try {
  final todo = Todo(content: 'My new todo');
  final request = ModelMutations.create(
    todo,  
    authorizationMode: APIAuthorizationType.oidc,
  );
  final createdTodo = await Amplify.API.mutations(request: request).response;

  if (createdTodo == null) {
    safePrint('errors: ${response.errors}');
    return;
  }
  safePrint('Mutation result: ${createdTodo.name}');

} on APIException catch (e) {
  safePrint('Failed to create todo', e);
}
```
<!-- /Platform -->
