Skip to content

OpenID Connect

  • Federated Authentication protocol
  • Allows User to reuse their accounts
  • Integration of multiple Identity Providers
  • Provides an identity service layer on top of OAuth2.0
  • Allows Authorization server to authenticate User for applications in standard way
  • Enables an application to delegate User authentication to OAuth2.0 Authorization server
  • Supports SSO
  • https://openid.net/developers/specs/

Roles

  • End User - a subject to be authenticated
  • OpenID Provider - An OAuth 2.0 authorization server that implements OIDC and can authenticate a User and return claims about the authenticated User and the authentication event to a Relying party
  • Relying Party - An OAuth 2.0 client which delegates user authentication to an OpenID Provider and requests claims about the user from the OpenID Provider. E.g Application.

Token and Claim

  • Identity Token - A token used to convey claims about an authentication event and an authenticated User to a Relying party (Application). It represents the proof of Authentication.
  • Claim - A piece of information about the end user.

Flows

  • Authorization Code Flow (+PKCE) - Used by confidential and public clients to exchange an authorization code for an identity token, access token, refresh token.
  • Implicit Flow - Optimized for use with public clients such as single-page applications. Use of this grant type returns an access token to an application in one request. Not recommended anymore.
  • Hybrid Flow - Includes elements of both ACF and IF. It is designed for applications with both a secure back end and a front end with client-side JavaScript executing in a browser. The Hybrid Flow enables models such as returning an ID Token and authorization code in a front-channel response to the application front end, leaving the application back end to obtain an access token.
  • OIDC CIBA - Client-Initiated Back-channel Authentication. Based on direct Relying Party to OpenID Provider communication without redirects through the user's browser. Flow includes an Authentication Device which is used by User to authenticate.

Other features

  • Discovery - Allows clients to dynamically discover information about the OpenID Provider.
  • Dynamic Registration - Allows clients to dynamically register themselves with the OpenID Provider
  • Session Management - Defines how to monitor the end user's authentication session with the OpenID Provider, and how the client can initiate a logout.
  • Front-Channel Logout - Defines a mechanism for single sign-out of multiple applications using embedded iframes.
  • Back-Channel Logout - Defines a mechanism for single sign-out for multiple applications using a back-channel request mechanism.