OpenID Connect

  • OpenID Connect (OIDC) is an open standard published by the OpenID Foundation that defines an interoperable way to use OAuth 2.0 to perform user authentication.

    • Essentially building an authentication protocol on top of an already existing authorization protocol.

  • OIDC is designed to be interoperable meaning that an OpenID Client Application can speak one protocol to many Identity Providers instead of implementing a slightly different protocol to each Identity Provider.

  • Along with returning the traditional OAuth access token, OIDC will return an Identity Token which is a signed JWT.

    • Unlike the access token, the ID token is directed to the respective Relying Party (RP) and is intended to be parsed by it.

    • The ID token contains a set of claims about the authentication session, such as:

      • (sub) - Identifier for the User

      • (iss) - Identifier for the Identity Provider that issued the token

      • (aud) - Identifier of the Client for which the token was created for

  • OIDC defines a discovery protocol that allows clients to fetch information on how to interact with a specific identity provider.

    • If for not dynamic discovery, OIDC would not be scalable as each Client would have to know ahead of time about each provider.

  • Dynamic Discovery works in the following way:

    • 1) Client needs to discover the issuer URL of the IDP.

    • 2) Client still needs essential information about the Authorization Server such as the location of the Authorization and Token Endpoints.

      • Discovered by appending /.well-known/openid-configuration to the Issuer URI.

        • The response returns a JSON document containing all the attributes of the server that the client needs in order to start the authentication transaction.

  • OIDC also defines a User Info endpoint where Client applications can retrieve information about the logged-in end user.

    • Accessed by sending a simple HTTP request containing the access token as the Authorization header value.

      • Example Response:

      HTTP/1.1 200 OK
      Content-type: application/json
      {
         "sub": "9XE3-JI34-00132A",
         "preferred_username": "alice",
         "name": "Alice",
         "email": "alice.wonderland@example.com",
         "email_verified": true
      }

  • OIDC defines a special openid scope that controls overall access to the UserInfo endpoint.

    • Defines a set of standardized OAuth scopes that map to subsets of user attributes (profile, email, phone, and address)

Last updated