OpenID Connect overview
OpenID Connect is a simple identity protocol and open standard that is built on top of the OAuth 2.0 protocol. It enables client applications to rely on authentication performed by an OpenID Connect Provider to verify the identity of a user.
OpenID Connect uses OAuth 2.0 for authentication and authorization, and then builds identities that uniquely identify users. Clients can also obtain basic profile information about a user in an interoperable and REST-like manner from OpenID Connect Providers.
WebSphere Application Server supports OpenID Connect 1.0 and plays a role as a Client or Relying Party in web single sign-on. WebSphere Application Server implements an OpenID Connect Basic Client. Read theOpenID Connect Basic Client Implementer's Guide 1.0 for more information.
Terminology
- Access token
- A credential used to access protected resources. An access token is a string, and represents an authorization that is issued to the client.
- Authorization Endpoint
- A resource on an OpenID Provider that accepts an authorization request from a client to perform authentication and authorization on a user. The authorization endpoint returns an authorization grant (or code) to the client in the Basic Client Profile. In the Implicit Client Profile, the authorization endpoint returns an ID token and access token to the client.
- Authorization grant
- A credential that represents a user's authorization to access resources. This credential is used by a client to obtain an access token.
- Claim
- Information that is asserted about an entity. Examples of a claim include a phone number, first name or last name.
- ID token
- A JSON Web Token (JWT) containing claims about the authenticated user.
- Introspection Endpoint
- A resource on an OpenID Provider that enables a client that holds an access token to retrieve information. The information is used to create the access token (such as the user name, granted scopes, or client ID).
- OpenID Provider (OP)
- An OAuth 2.0 authorization server that can provide claims to a client, or Relying Party (RP).
- Refresh token
- A token that is issued to the client by the OP. The token is used to obtain a new access token when the current access token expires or to obtain more access tokens.
- Relying Party (RP)
- Either a WAS configured as an OpenID Connect Client, or a client application that requires claims from an OpenID Provider (OP).
- Scope
- Privilege or permission allowed to access resources of a third party.
- Token Endpoint
- A resource on an OpenID Provider that accepts an authorization grant (or code) from a client in exchange for an access token, ID token, and refresh token.
The WebSphere Application Server as an OpenID Connect Relying party (client)
WAS can be configured to function as an OpenID Connect Relying Party, which enables WebSphere Application Server to rely on another OpenID Connect server that acts as an OP for user authentication and authorization.
With an OpenID Connect Basic Client, all token exchanges are handled using the token endpoint of the OpenID Connect Provider (OP). First, the client submits an authorization request to the authorization endpoint of the OP. When authentication and authorization with the OP is successful, the client receives an authorization grant (or code) from the OP. This authorization code can then be sent in a request to the token endpoint of the OP. The client receives an ID token, an access token, and a refresh token in the response from the token endpoint. The client then validates the ID token and retrieves the subject identifier of the user. This profile flow is intended for clients that can securely maintain a client secret between themselves and the OP, and also enables clients to obtain a refresh token.
For information about how to configure a WAS as an OpenID Connect Client, read Configure an OpenID Connect Relying Party.
Related concepts
OpenID Connect Relying Party custom properties
Related tasks
Configure an OpenID Connect Relying Party