OIDC FLOW AND END POINTSDate Created: 06 Apr 2023
OpenID Connect (OIDC) is a type of authentication protocol that is built on top of OAuth 2.0. It provides a secure and standard way for users to prove their identity to web applications.
This means that when you log in to a web application using OIDC, the application can verify that you are who you say you are, based on the authentication process performed by a third-party authentication server. This helps to ensure that your personal information and data are kept safe and secure.
OIDC is easy to use, offers advanced security features, and can work seamlessly with other technologies. Its an excellent solution for web applications that need to verify the identity of their users in a reliable and standardized way.
OpenID Connect (OIDC) is mainly used for authorization, which means it allows applications to access resources on behalf of a user. However, it doesnt provide a way for applications to verify a users identity.
OIDC solves this problem by providing standardized authentication flows that enable users to prove their identity to web applications. These flows are based on the OAuth 2.0 authorization code flow, but with extra steps to authenticate the user and give the web application information about their identity.
To convey identity information, OIDC uses JSON Web Tokens (JWTs). A JWT is a small, secure way of representing claims about a user that can be shared between different parties. JWTs are digitally signed, which means they can be used to verify that the information they contain is legitimate and hasnt been tampered with.
The OIDC authentication flow begins with the user attempting to access a protected resource on a web application. The web application detects that the user is not authenticated and redirects the user to the OIDC authentication server.
The OIDC authentication server authenticates the user using a variety of methods, such as username/password authentication or multi-factor authentication. Once the user is authenticated, the authentication server generates a JWT containing identity information and returns it to the web application.
The web application then verifies the authenticity and integrity of the JWT by validating the digital signature. If the JWT is valid, the web application can use the information contained within it to identify the user and provide personalized content and services
OIDC has different ways for a user to log in to a web application. The three most commonly used are:
Authorization Code Flow:
This is used when the web app needs to access information on behalf of the user. The user is sent to the login page to enter their credentials. After authentication, the login page generates a special code which is used by the web app to get an access token, allowing it to access the protected resource.
This is used when the web app doesnt need to access information for a long time. The user logs in and gets an access token immediately without any special codes or tokens.
Hybrid Flow: This combines the Authorization Code Flow and Implicit Flow. The user logs in, and the login page generates an authorization code and an ID token. The authorization code is then used to get an access token, and the ID token provides the users identity information.
Benefits of OpenID Connect
OIDC offers several benefits over traditional authentication methods, including:
1. Single Sign-On (SSO): With OIDC, users can authenticate once with an identity provider and then access multiple applications without having to re-enter their credentials.
2. Improved Security: OIDC leverages strong cryptographic algorithms and provides a standardized approach to authentication, which reduces the risk of security vulnerabilities and ensures that user data is protected.
3. Enhanced User Experience: OIDC enables a seamless user experience by allowing users to authenticate with their existing social media or enterprise credentials, rather than having to create and remember new credentials for each application.
4. Standardization: As an open standard, OIDC promotes interoperability and simplifies integration with third-party applications.
How Does it Works?
When you log in to a website using OIDC, there are three important parts: you, the website, and the service that verifies your identity.
Heres how it works:
You go to the website and click the login button.
The website sends a request to the identity service to check your identity. The request includes information like your username and what kind of access youre asking for.
The identity service checks to see if youre who you say you are by asking you to enter your login credentials or using a previous session if youve already logged in before.
If your identity is verified, the identity service creates an ID token that includes information about you, like your name and email address.
The website checks the ID token to make sure its genuine and hasnt been changed.
The website can then use the information in the ID token to make sure youre authorized to access certain resources or to personalize your experience.
OIDC, or OpenID Connect, defines a set of endpoints that are used in the authentication flow between a user, a client application, and an identity provider. These endpoints help standardize the way user authentication is handled in web applications.
There are six endpoints defined by OIDC:
Authorization Endpoint: This endpoint initiates the authentication flow by prompting the user to enter their credentials or by using an existing session if the user has previously authenticated.
Token Endpoint: This endpoint is used to obtain an access token and an ID token after the user has been authenticated.
User Info Endpoint: This endpoint retrieves information about the authenticated user, such as their name and email address.
End Session Endpoint: This endpoint logs out the user and invalidates the access token.
JWKS Endpoint: This endpoint is used to obtain the JSON Web Key Set used to sign the ID token.
Discovery Endpoint: This endpoint provides information about the OIDC providers configuration, such as the providers authorization endpoint, token endpoint, and supported authentication methods.
While these endpoints are standardized, their implementation can vary between different OIDC providers. Its important to check the providers documentation to ensure that the authentication flow is implemented correctly.
Using OIDC endpoints allows client applications to delegate authentication and authorization responsibilities to specialized OIDC providers, reducing the complexity and security risks associated with implementing these features in-house.
In summary, OIDC endpoints provide a standardized and secure way for client applications to authenticate users and obtain identity information about those users.