Skip to main content

How GOV.UK One Login works

GOV.UK One Login is an OpenID Connect (OIDC)-compliant service that helps you authenticate your users who are using services they’ve logged into with their GOV.UK One Login.

GOV.UK One Login follows the Service Manual for designing for different browsers and devices.

GOV.UK One Login uses 2 different environments:

  • an integration environment, which contains sample user data (for example, date of birth, address) which you can use to test your service’s integration with GOV.UK One Login
  • a production environment, which is the live environment for real users to access and use your service’s integration with GOV.UK One Login

Understand the flow GOV.UK One Login uses

  1. Your service asks the user to sign in or create an account.
  2. If your service needs confidence your user is who they say they are, GOV.UK One Login will request proof of identity.
  3. GOV.UK One Login collects evidence of the user’s identity.
  4. GOV.UK One Login provides information about your user.

You can read guidance about cookies on GOV.UK One Login if you want to learn more about cookies.

To understand the technical flow, for example the endpoints, requests and tokens, there’s a more detailed technical diagram you can use.

Understand the technical flow GOV.UK One Login uses

  1. Your service makes an authorisation request to the /authorize endpoint.
  2. The user logs in (or creates an account if they do not have one) and proves their identity if your service needs them to. GOV.UK One Login lets your user know how their data will be shared with your service.
  3. GOV.UK One Login returns an authorisation code to your service.
  4. Your service makes a token request to the /token endpoint and includes the authorisation code in the request.
  5. Your service receives an ID token and access token in the response.
  6. Your service makes a request to the /userinfo endpoint to retrieve user information. You can read more about choosing which user attributes your service can request.
  7. Your service receives a response containing user attributes.
  8. Your service makes a log out request to the /logout endpoint.
  9. Your service receives an HTTP 302 response redirecting the user to the post_logout_redirect_uri.

Find out what to consider before you integrate your service with GOV.UK One Login.

This page was last reviewed on 10 April 2024.