idplace.hr
What is idplace.hr?
idplace.hr is an OAuth 2.0 and OpenID Connect identity provider, but the useful part is where you put it: in front of the login a business already runs, not in place of it. It speaks the standards to everything downstream — discovery, JWKS, introspection, revocation, all where the RFCs say they should be — while upstream it can sit as a proxy over whatever was there before.
That's what keeps a migration from feeling like one. When someone signs in, idplace passes the attempt through to the old system; when it succeeds, idplace captures the verified credential, stores it securely in its own database, and from then on can authenticate that person itself. People keep logging in exactly as they did — no reset email, no migration weekend, no announcement — and the old system quietly empties out, one real login at a time. The day you no longer want idplace, you take it out and land back on what you had. Nothing about it is hard to remove, which is rare for the thing that guards the front door.
It pulls identity from wherever the business actually keeps it — Google, Facebook, X, and LinkedIn for the common cases, and bespoke connectors for the legacy systems that never expected to be connected to anything. And because it can verify a request at the edge, it'll protect things that have no backend to put auth into at all, like a folder of static files served straight off nginx.
The pricing has no surprises. The second factor — TOTP and HOTP — isn't metered per check, there's no per-seat bill, and you can run it as a hosted API or entirely on your own servers. What other providers keep behind an enterprise tier is the default here.
What it does
A proxy you put in front, not instead
idplace can sit as a proxy over the login a business already runs. People sign in the way they always have; idplace passes the attempt to the old system, and when it succeeds, captures the verified credential and stores it securely in its own database. From then on it can authenticate that user itself — so the old system empties out one real login at a time, with no reset email and no migration weekend. Stop needing idplace and you remove it, landing back on what you had.
OAuth 2.0 and OpenID Connect, by the book
Authorization Code with PKCE, Client Credentials for service-to-service, refresh-token rotation. Discovery, JWKS, introspection, and revocation all sit at their standard endpoints. The grants it doesn't do — password, implicit, device code — it doesn't do on purpose.
Passwordless sign-in — passkeys and magic links
Passkeys are the default. Paired with a password manager like Bitwarden, signing in is a single click — no password for anyone to remember, leak, or rotate on a schedule to keep a policy happy, because there's no shared secret to phish in the first place. Magic links cover whoever isn't on passkeys yet: a one-time link to a verified address, with no password set up at all.
Identity from wherever it already lives
Google, Facebook, X, and LinkedIn for the common cases, plus bespoke connectors for the legacy systems that never expected to be connected to anything. Each user can carry an external id from its source, so idplace presents one consistent OIDC surface downstream no matter where the identity originally came from.
JWT access tokens, keys you can rotate
Access tokens are JWTs signed by a key published at the JWKS endpoint. Rotate a key with no downtime: relying parties pull the new JWKS and keep verifying the old tokens until they expire.
TOTP and HOTP second factor
Time- and counter-based one-time passwords, with authenticator-app enrollment by QR. Not metered — there's no per-verification charge, however many times a day your people sign in. Whether it's enforced is a policy each integration sets, for now.
Edge auth for things with no backend
authcheck is a small Go service behind nginx's auth_request: it verifies a bearer token against the JWKS and answers the edge with a 200 or a 401. That lets idplace protect things with nowhere to put auth — a folder of static files, a download, a service you can't change — without touching them.
A management API for the moving parts
REST CRUD for OAuth clients, scopes, and signing keys, plus UserInfo per OIDC Core. Build the admin panel; skip building the auth underneath it.
A hosted API, or your own servers
Consume it as a hosted OIDC API, or run the whole thing on your own infrastructure — the part most hosted identity providers won't let you do at all. No per-seat pricing either way, and nothing metered per login or per verification.
How it's built
idplace is headless at its core: an OAuth 2.0 and OpenID Connect API with no opinion about what sits in front of it. The login and account screens we ship are built in Nuxt 4 and Vue 3, but that's our choice, not a requirement — the frontend is yours to whitelabel, restyle, or replace outright, in whatever framework you already use. Under it: Laravel 12 on PHP 8.5 for the provider, a small Go service for nginx auth_request offload, PostgreSQL for storage, and HashiCorp Vault for the signing-key material. It implements RFC 6749, 6750, 7636, 7662, 7009, 7517, 7519, 8252, and OpenID Connect Core 1.0 — the list is long because the point was to follow them, not improvise. Hosted in the EU on Hetzner.
Where we are
Live, and behind the login of every Converge and Workplace.hr product — the dashboards and the gate in front of staging included.
Open to third-party integration on request. If you've got a login you'd like to replace without a migration project, or a legacy system you've been afraid to touch, that's the conversation to have — standards-compliant clients, no per-seat pricing, self-hostable if you'd rather.