What’s OIDC

by walter

Table of Contents

What is OIDC (OpenID Connect)?

OIDC (OpenID Connect) is an open authentication protocol built on top of OAuth 2.0 that enables secure and seamless user authentication. It allows clients (such as web or mobile applications) to verify the identity of a user based on the authentication performed by an identity provider (IdP) and obtain basic profile information about the user.

Key Features of OIDC

  1. Built on OAuth 2.0:

    • While OAuth 2.0 focuses on authorization (allowing applications to access resources on behalf of a user), OIDC adds an authentication layer, enabling applications to identify the user.

  2. ID Token:

    • OIDC introduces the ID Token, a JSON Web Token (JWT) that contains information about the authenticated user (e.g., user ID, email, etc.).
    • This token is cryptographically signed by the identity provider, ensuring its integrity and authenticity.

  3. Interoperability:

    • OIDC is designed to work across a wide range of platforms and languages, making it a preferred protocol for modern authentication systems.

  4. Federation Support:

    • Users can authenticate with a single identity provider across multiple applications or services, streamlining user management and improving the user experience.

How OIDC Works

  1. Client (Relying Party):

    • The application (e.g., web or mobile app) that needs to authenticate the user.

  2. Identity Provider (IdP):

    • The service that performs the authentication and issues tokens (e.g., Google, Microsoft, or custom IdP).

OIDC Flow Steps:

  1. User Initiates Login:

    • The user tries to access the client application, which redirects them to the identity provider's authentication endpoint.

  2. User Authenticates:

    • The identity provider prompts the user to log in (e.g., by entering a username and password).

  3. Authorization Code Issued:

    • If authentication succeeds, the identity provider redirects the user back to the client application with an authorization code.

  4. Tokens Exchanged:

    • The client application exchanges the authorization code for:
      • ID Token (for authentication),
      • Access Token (for API access).

  5. User Verified:

    • The client verifies the ID Token to confirm the user's identity and optionally retrieves user profile information from the identity provider.

  6. Access Resources:

    • The client can use the Access Token to interact with APIs on behalf of the user.

Key OIDC Components

  1. ID Token:

    • A JWT that includes claims like sub (subject or user identifier), iss (issuer), and aud (audience or client ID).
    • Example claims: 
      {
"sub": "1234567890",
"name": "John Doe",
"email": "johndoe@example.com",
"iat": 1619451520,
"exp": 1619455120
}

  2. Access Token:

    • Issued by the identity provider and used to access protected resources (e.g., APIs).

  3. Refresh Token:

    • A long-lived token used to obtain new Access Tokens without requiring the user to log in again.

  4. Discovery Endpoint:

    • OIDC provides a standard discovery mechanism (.well-known/openid-configuration) for dynamically fetching identity provider metadata.

Common Use Cases

  1. Single Sign-On (SSO):

    • Users can authenticate once with an identity provider and access multiple applications seamlessly.

  2. Secure Authentication for APIs:

    • Applications can verify user identity and enforce access control for APIs.

  3. Federated Identity Management:

    • Users can authenticate with third-party identity providers like Google, Microsoft, or Facebook.

  4. Mobile and Web Applications:

    • OIDC provides a consistent and secure mechanism for authenticating users across platforms.

OIDC Flows

OIDC supports several flows tailored to different scenarios:

  1. Authorization Code Flow:

    • Best for server-side applications.
    • Secure because tokens are exchanged server-to-server, minimizing exposure to the client.

  2. Implicit Flow:

    • Designed for browser-based apps (e.g., single-page applications).
    • Tokens are issued directly to the client but have limitations in terms of security.

  3. Hybrid Flow:

    • Combines aspects of both Authorization Code and Implicit Flows.
    • Allows retrieving some tokens directly while exchanging codes for additional tokens.

  4. Client Credentials Flow:

    • Used for server-to-server communication (no user involvement).

Popular OIDC Identity Providers

  • Google Identity Platform: Allows applications to authenticate users using their Google accounts.
  • Microsoft Azure AD: Used for enterprise-level authentication.
  • Auth0: A flexible identity provider supporting OIDC and other protocols.
  • Keycloak: An open-source identity provider for authentication and authorization.

Benefits of OIDC

  1. Enhanced Security:

    • Based on OAuth 2.0's secure foundation.
    • Tokens are signed, ensuring data integrity.

  2. Interoperability:

    • Works across different languages, platforms, and devices.

  3. Ease of Implementation:

    • Many SDKs and libraries are available for integrating OIDC into applications.

  4. Scalability:

    • Ideal for applications requiring authentication for millions of users.

OIDC is widely adopted for its simplicity, security, and versatility, making it a cornerstone of modern identity and access management solutions.

Comments |0|

Legend *) Required fields are marked
**) You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Category: 似水流年