OpenID Connect Authentication

Documentation home 

 

Introduction. 1

ID Token. 2

Configuring OpenID Connect Authentication. 3

Configuring ADFS Server for as a Gateway using OpenID Connect 3

 

See also: Server Administration Application Home Page, OpenID Connect Configuration, OAuth 2.0, AD FS Step By Step Setup Guide

 

Introduction

OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to verify the identity of an end user based on the authentication performed by an authorization server or identity provider (IdP), as well as to obtain basic profile information about the end user in an interoperable and REST-like manner. OpenID Connect specifies a RESTful HTTP API, using JSON as a data format. 

 

OAuth 2.0 is a specification that identifies how to issue access tokens. The OAuth 2.0 specification is defined in RFC 6749 (OAuth 2.0 Authorization Framework). The OpenID Connect specification has added a new value id_token attribute to the access token response. To request an ID token the scope for the authorization request must include the string “openid”. If this is not included then normal OAuth authorization flow is assumed. See the OAuth 2.0 documentation for more information.

 

OpenID Connect is a simpler authorization standard than other standards such as SAML, OpenID 1.0 and Open 2.0. The attraction of OpenID Connect is:

 

• Easy to consume identity tokens: Client receives the users identity encoded secure JSON Web Token (JWT) called an ID token.
• Based on the OAuth 2.0 protocol: The ID token is obtained via the OAuth 2.0 flow.
• Simplicity: OpenID Connect is simple to use and integrate with most apps.

 

OpenID Connect is an increasingly common authentication protocol: when an app prompts you to authenticate using your ADFS or Google+ credentials, the app is probably using OpenID Connect.

 

Example OpenID Connect Authorization Flow:

 

ID Token

OpenID Connect returns an ID token in the form of a JSON Web Token (JWT). The JWT contains identity information known as Claims - these claims can hold user-related information e.g. email, name, address, roles etc.

 

OpenID Connect ID tokens are digitally signed and should be verified before using them. The digital signature is usually signed using a Public/Private key pair and the public key is commonly published on a remote URL as JSON Web Key Sets (JWK’s).  

 

 

Configuring OpenID Connect Authentication

OpenID Connect authentication is configured using the Server Administration Application User Authentication.

 

Configuring ADFS Server using OpenID Connect

OpenID connect can be used to authenticate users using Single-Sign-On (SSO) against an Active Directory Federation Services (ADFS) server. The ADFS server can be configured to return an ID Token that contains user credentials and roles.

 

Follow the ADFS step by step setup guide to configure Verj.io Server using OpenID Connect and ADFS.