UmmahPassportSign in
← UmmahPassport

For developers and orgs

Sign in with UmmahPassport.

Drop-in OIDC-compatible SSO for any app. Same user experience as “Sign in with Google” — without the ad surveillance machinery sitting behind it. Privacy-first by charter, not by marketing copy.

  • Protocol
    OAuth 2.0 + OpenID Connect
  • Discovery
    .well-known/openid-configuration
  • PKCE
    Supported (S256)
  • Compatible with
    Auth.js · oidc-client-ts · passport · MSAL
  • Cost
    Free during pilot
  • Setup time
    ~10 minutes

Why switch from Google / Apple / Microsoft / Meta

Four reasons it’s worth ten minutes of config.

  • 01

    Same user experience, structurally better privacy

    Your users click a button, sign in, and come back authenticated. Exactly like Google/Facebook from a UX perspective. The difference lives in what happens to their data behind the scenes — see the privacy comparison below.

  • 02

    Drop-in OIDC compliance

    If your framework already supports 'Sign in with Google,' it supports us. Auth.js / NextAuth, passport-openidconnect, oidc-client-ts, MSAL, Spring Security OAuth — all read the same .well-known discovery document. Set one config field, ship.

  • 03

    A trust story your users actually want to hear

    Telling your users 'we use Google for login' increasingly registers as a downgrade signal in privacy-conscious communities. Telling them 'we use UmmahPassport — funded by Muslims, charter-locked against ad surveillance' is a positive trust signal you can advertise on your landing page.

  • 04

    Network effect across the projects

    Every UmmahPassport user has a passport that already works on Ihsan Standard, NoorMap, and the rest of the projects in the network. Your app becomes one more dot they can connect to with the account they already have.

How it works

OIDC, the standard one.

Four steps. The same four steps every OIDC provider implements, because there’s only one specification. If you’ve integrated Google Sign-In before, you’ve done this.

  1. 1

    Register your app

    Open the developer portal, register your app, get a client_id and client_secret. Add your callback URLs (must be HTTPS in production).

  2. 2

    Add a 'Sign in with UmmahPassport' button

    Standard OIDC: GET https://ummahpassport.com/sso/authorize?client_id=YOUR_ID&redirect_uri=…&state=…&scope=openid email profile. The user signs in on our domain, we redirect back to your callback with an auth code.

  3. 3

    Exchange the code for tokens

    Your server POSTs to /api/sso/token with the code, client_id, client_secret. Get back access_token + id_token. The id_token is a signed JWT carrying { sub, email, email_verified, exp, iat }.

  4. 4

    Use the access token (optional)

    GET /api/sso/userinfo with Bearer token returns the profile. Or you can just trust the id_token claims directly — the cryptographic signature is the verification.

auth.config.tsAuth.js / NextAuth
// Sign in with UmmahPassport using Auth.js (NextAuth)
import NextAuth from "next-auth";

export const { handlers } = NextAuth({
  providers: [
    {
      id: "ummahpassport",
      name: "UmmahPassport",
      type: "oidc",
      issuer: "https://ummahpassport.com",
      clientId: process.env.UMMAHPASSPORT_CLIENT_ID,
      clientSecret: process.env.UMMAHPASSPORT_CLIENT_SECRET,
      // We accept client_secret_post (not Basic). PKCE is also
      // enabled by default in Auth.js v5, and we support S256.
      client: { token_endpoint_auth_method: "client_secret_post" },
    },
  ],
});

Same shape works with passport-openidconnect (Node), Authlib (Python), Pac4j (Java), MSAL (.NET), Spring Security OAuth, oidc-client-ts, msal-browser, etc. The discovery document at /.well-known/openid-configuration is the same one OIDC libraries already know how to read.

Standards & compliance

Everything OIDC says, and a charter that says more.

  • OIDC Core 1.0

    Authorization Code flow with PKCE. Standards-compliant.

  • OAuth 2.0 (RFC 6749)

    Token endpoint, refresh tokens, scopes.

  • JWT id_tokens (RS256)

    Signed JWTs with public-key verification via JWKS endpoint.

  • PKCE (RFC 7636)

    S256 challenge method for public clients (mobile, SPAs).

  • GDPR by design

    Data minimization, right to delete, EU data residency option.

  • SOC 2 Type II

    Roadmap, mid-2026 target. Independent control auditor named when engaged.

Add UmmahPassport to your app

Ten minutes of config. A trust story your users care about.