Authenticating a user

OpenID Connect provider supports traditional Java Platform, Enterprise Edition (J2EE) FormLogin for user authentication.

We can customize the login form, see OpenID Connect custom forms.

The Open ID Connect provider can be configured to support other authentication methods.

OpenID Connect provider delegates user authentication to third-party authentication service

If we configure Trust Association Interceptor (TAI) to intercept a request to an Open ID Connect authorization endpoint (/oidc/<provider name>/authorize), the login form is not presented, and the user authentication is performed by the configured TAI.

OpenID Connect provider authenticates user with HTTP Basic Authentication

If we want an Open ID Connect provider to authenticate a user with HTTP Basic Authentication, the openid connect autorization request must include a user id and password as defined in the Basic Authentication Scheme.

OpenID Connect provider authenticates user with a client certificate

If we want an Open ID Connect provider to authenticate a user with a client certificate, we need to explicitly add the attribute certAuthentication=true inside the oauthProvider configuration element that is referenced by the openidConnectProvider configuration, and the user agent must be able to provide a client certificate for an Open ID Connect authorization request.

OpenID Connect provider delegates user authentication to a third-party OpenId Connect provider

We can configure an Open ID Connect provider to delegate user authentication to a third-party OpenID Connect provider. To enable this authentication delegation, configuring the OP as an OpenID Connect relying party. Optionally, we can add an authentication filter to limit the openIDConnectClient-1.0 feature to protect an Open ID Connect authorization endpoint (/oidc/<provider name>/authorize) only.

Parent topic: Configure an OpenID Connect Provider in Liberty