Introduction to OpenID Connect
Note for exam: No practical coding examples with OpenID Connect
- Authentication protocol
- Based on the OAuth 2.0
- Provides login for multiple sites/apps
- You are redirected to your OpenID site where you login
- After login, you are taken back to the website/app
- OAuth/OpenID Provider
- Aka OAuth Server, Authorization Server
- Examples: Google, Twitter, Microsoft AAD, Auth0
- Resource Provider
- Aka Resource Server
- In our case: A REST Web API
- Resource Owner
- In our case: The end user, the organization
- Client
- Application accessing a protected resource
- In our case: Native app, server-based web app, SPA, mobile app
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
- Authorization Endpoint
- Authenticates the resource owner (e.g. user/password)
- Asks for consent
- Sends confirmation (e.g. access code, access token) to Redirect Endpoint
- Redirect Endpoint
- Offered by the client
- Called via redirecting the user-agent (HTTP redirect 302)
- Receives code/token or fetches token from Token Endpoint
- Token Endpoint
- Creates tokens for access codes, refresh tokens, etc.
- Can validate the client using a client secret
- Find endpoints via OpenID Connect Discovery
- Authorization Code Flow
- Aka 3-legged OAuth
- Client must be capable of storing secrets (e.g. Node.js server, ASP.NET server, etc.)
- Implicit Flow
- Less secure
- No refresh tokens
- For clients that cannot store secrets (e.g. SPA written in JavaScript, mobile app)
- Other flows (not covered in this course)
- Resource Owner Password Flow
- Client Credential Flow
- Hybrid Flow
+----------+ +----------+ Client Identifier +---------------+
| Resource <--(B)-+- -+----(A)-- & Redirection URI --->| |
| Owner | | User- | | Authorization |
| | | Agent -|----(B)-- User authenticates -->| Server |
+----------+ | | | |
| |<---(C)--- Redirection URI ----<| |
| | with Access Token +---------------+
| | in Fragment
| | +---------------+
| |----(D)--- Redirection URI ---->| Web-Hosted |
+---------+ | | without Fragment | Client |
| -+--(A)--> | | Resource |
| Client | | (F) |<---(E)------- Script ---------<| |
| <--(G)--+- | +---------------+
+---------+ ^ +----------+
|
Access Token
+----------+ +----------+ Client Identifier +---------------+
| Resource | | -+----(A)-- & Redirection URI ---->| |
| Owner <-(B)-+- User- | | Authorization |
| | | Agent -+----(B)-- User authenticates --->| Server |
+----------+ | | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
JSON Web Token (JWT)
- Open standard (RFC 7519)
- Way for securely transmitting information between parties as a JSON object
- Can be verified and trusted because it is digitally signed
- Consists of...
- ...header
- ...payload
- ...signature
- JWT examples and decoder: jwt.io
- Want to know more? Read/watch...
- Videos