OpenID Connect

OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol. (Identity, Authentication) + OAuth 2.0 = OpenID Connect

Specs

An entity has multiple identities. Facebook extends OAuth with ‘signed request’ does the same thing as OpenID Connect.

Final OpenID Connect specifications were launched on February 26, 2014.

The certification program for OpenID Connect was launched on April 22, 2015.
Google, Microsoft, Ping Identity, ForgeRock, Nomura Research Institute, and PayPal OpenID Connect deployments were the first to self-certify conformance.

IDP = identity provider = offer authentication as a service

RP = relying party = app that outsources its authentication function to an IDP

JWT = json web token = data structures with signatures

From http://openid.net/connect/faq/

OpenID Connect is a simple identity layer that works over the top of OAuth 2.0. It uses the same underlying REST protocol, but adds consistency and additional security on top of the OAuth protocol.

OAuth 2.0 is fundamentally ~an authorisation protocol~, not an authentication protocol.

From http://andrewlock.net/an-introduction-to-openid-connect-in-asp-net-core/

• OpenID Connect Basic Client Implementer’s Guide 1.0 - draft 37
• OpenID Connect Implicit Client Implementer’s Guide 1.0 - draft 20
• Safe storage of app secrets during development

Sequence diagram

« | home | wiki