What is OpenID Connect
Concepts
OpenID Tokens (Structure)
OIDC Claims OpenID Connect AuthN flows
3- legged authorization grant flow
Implicit Grant Flow
OpenID UserInfo endpoint
OIDC discovery endpoint
REST and JSON Tokens (JSON Web Tokens(JWT) ) Security
OpenID Connect
This article covers the core concepts of OIDC. You dont need to know what these technologies are to understand this article. Follow the sub headings in the article to connect the pieces to see how OIDC artifacts can be used in your business to offer a service to a client. This article starts with concepts, then covers the OIDC artifacts, the structure of JWT tokens used to communicate userinfo to the client ,the user attributes passed as claims and the security around the tokens.
Two flows one is the 3-legged standard authorization flow, and the 2-legged implicit flow.
To better understand how these protocols are implemented on different products, included in this article is the comparison table that gives the reader a birds-eye view of implementation specifics in OpenAM & Oracle Access Manager.
The implementation steps of OIDC using OpenAM sums up the concepts with a walkthrough. The next article will demo those OIDC steps in OpenAM
What is OpenID Connect
Concepts
OIDC is a framework built on top of OAuth 2.0 or is an extension of OAuth. The ID token is used in OIDC to verify the user identity The user information can be accessed from a user token endpoint provided by OIDC implementations. .
OpenID Tokens (Structure)
OIDC token is an extension of tokens generated by OAuth 2.0 scenarios The access tokens and refresh tokens are created in OAuth2.0 interactions.
The ID token created in the OIDC flow, verifies the user information and contains the following claims which can be accessed using an endpoint: subject, issuer, audience, and timestamps.
The names used to access the token attributes are Iss, sub, aud, exp, iat, auth_time, Nonce, acr, amr sid. The iss, sub, aud, exp,iat auth_time and nonce are mandatory fields of the ID token. The other fields are optional. We will see an example of how these values can be retrieved.
The nonce value if present in the initial authentication request should also be in the ID token generated by the authorization servers and the nonce value should not be modified. The client has to verify the nonce value and confirm it has not changed between request and response interactions with an ID token.
OIDC Claims
There are different claims used by OIDC flow, and they are retrieved using the userinfo endpoint. The various claims for the OIDC flow are email, email-verified, name, given_name, family_name, perferred_username, phone, phone_number_verified, gender & locale.
These claims verify the identiy of a logged in user.
OpenID Connect AuthN flows
OIDC flows: Authorization Grant Flow
3 legged authorization grant flow:
- Clients should register with the authorization server first before making the authorization code flow.
- In the OIDC authz flow, the Client scope is OpenID, and the response type for this flow is set to grant code.
- If the scope doesn’t have ‘OPENID’, then it is considered OAuth2.0 flow.
- The ID_token and Access_token are obtained in exchange for auth code, returned from the server. In the non OIDC flow only Access_token is returned.
- In this 3 legged flow, the auth server validates the credentials & gets the consent, before giving the authZ code, so that the clients can use to get the access token & Id _token.
In the 3-legged flow, the sequence of execution is below.
- The user/browser requests access to the resource.
- The client (RP) makes a OAuth call with the scope as openid, to the authz server.
- The authz server validates client id & secret and present the credential screen to the RO/user to submit creds.
- AuthZ validates and then send the consent screen. The user provides consent to the authZ server, then redirects to the client with the code.
- The RP make a request with the code and other parameter and requests for access token and ID token (openid flow).
- The authz server validates the code.
- RP sends a request for the access token, id token and refresh token.
- Relying party validates the token with authZ sever and request user claims form the userinfo endpoint.