OpenID Connect
About OpenID Connect
OpenID Connect (OIDC) is the new emerging standard for single sign-on and identity provision on the internet. This section provides a quick introduction to the OIDC and for more a more in-depth description see Specifications & Developer information.
OpenID Connect VS OAuth 2.0
OIDC is authentication built on top of OAuth 2.0 and implements authentication as an extension to the OAuth 2.0 authorization process. While OAuth defines no specific token format, no common set of scopes for the access token, and does not address how a protected resource validates an access token, OpenID Connect does.
Authentication flows
A flow is the process starting from the users authentication requests for accessing a resource, to when the user gets authenticated and obtains the token to access the resource. The flows also determine how the ID Token and Access Token are returned to the client. OpenID Connect defines three types of flows:
- Authorization code flow
- Implicit flow
- Hybrid flow
For detailed specification of these flows, check out OpenId authentication specs.
Note
Unit4 Identity Services (U4IDS) supports not only the three flows defined by OpenID Connect, but also two more flows defined by OAuth 2.0: the client credential flow, and the custom flow. We have a page dedicated to all the different kind of flows and their specifications. We recommend that you use Authorization code combined with Proof Key for Code Exchange (PKCE) to replace other OpenID Connect flows.
Tokens
Token types
For OpenId Connect there are three different token types.
- Access token: The access token serves as a credential used to access a protected resource. The Access tokens can come in two forms: self-contained and reference tokens.
- ID token: The ID Token is a token that contains Claims about the authentication. The ID token is always a JSON Web Token (JWT). See ID token
- Refresh token: Used for requesting a new access token. You can think of the refresh token as a password. The advantage is that the password is not stored in clear text and an administrator has the ability to revoke it.
Token formats
A token can appear in different formats. In OpenId Connect it is returned to the client as a JSON Web Token format. In other protocols, such as WS-Federation and SAML-P, SAML assertions is used as the format.
Scopes
OAuth defines Scopes which are like permissions or delegated rights that the Resource Owner wishes the client to be able to do on their behalf. The client may request certain rights, but the user may only grant some of them or allow others that are not even requested.
Endpoints
Authorization endpoint
Authorization endpoint, also referred to as Authentication Endpoint performs authentication of the end user. This is done by sending the User Agent to the Authorization Server's Authorization Endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and additional parameters and parameter values defined by OpenID Connect.
Token endpoint
Used to programmatically request or refresh tokens (authorization code flow, hybrid flow, resource owner password credential flow, client credentials flow and custom grant types).
Discovery endpoints
OpenID Connect offers discovery endpoints. It discovers the End-User's OpenID Provider and obtains information needed to interact with it, including its OAuth 2.0 endpoint locations. See OpenID Connect discovery and Client metadata for more details.
Metadata endpoint
/.well-known/openid-configuration endpoints
jwks endpoint
OPTIONAL. URL for the Client's JSON Web Key Set JWK document. If the Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the Client.