OpenID Connect overview

OpenID Connect overview

OpenID Connect is a simple identity protocol and open standard built on top of the OAuth 2.0 protocol. OpenID Connect enables client applications to rely on authentication performed by an OpenID Connect Provider to verify the identity of a user. OpenID Connect uses OAuth 2.0 for authentication and authorization, and then builds identities that uniquely identify users. Clients can also obtain basic profile information about a user in an interoperable and REST-like manner from OpenID Connect Providers.

WebSphere Application Server supports OpenID Connect 1.0 and plays a role as a Client or Relying Party in web single sign-on. WAS implements an OpenID Connect Basic Client.
See: OpenID Connect Basic Client Implementer's Guide 1.0

Terminology

Access token A credential used to access protected resources. An access token is a string, and represents an authorization issued to the client.
Authorization Endpoint A resource on an OpenID Provider that accepts an authorization request from a client to perform authentication and authorization on a user. The authorization endpoint returns an authorization grant (or code) to the client in the Basic Client Profile. In the Implicit Client Profile, the authorization endpoint returns an ID token and access token to the client.
Authorization grant A credential that represents a user's authorization to access resources. This credential is used by a client to obtain an access token.
Claim Information asserted about an entity. Examples of a claim include a phone number, first name or last name.
ID token A JSON Web Token (JWT) containing claims about the authenticated user.
Introspection Endpoint A resource on an OpenID Provider that enables a client that holds an access token to retrieve information. The information is used to create the access token (such as the user name, granted scopes, or client ID).
OpenID Provider (OP) An OAuth 2.0 authorization server that can provide claims to a client, or Relying Party (RP).
Refresh token A token issued to the client by the OP. The token is used to obtain a new access token when the current access token expires or to obtain more access tokens.
Relying Party (RP) Either a WAS configured as an OpenID Connect Client, or a client application that requires claims from an OpenID Provider (OP).
Scope Privilege or permission allowed to access resources of a third party.
Token Endpoint A resource on an OpenID Provider that accepts an authorization grant (or code) from a client in exchange for an access token, ID token, and refresh token.

The WAS as an OpenID Connect Relying party (client)

WAS can be configured to function as an OpenID Connect Relying Party, which enables WAS to rely on another OpenID Connect server that acts as an OP for user authentication and authorization.

With an OpenID Connect Basic Client, all token exchanges are handled using the token endpoint of the OpenID Connect Provider (OP). First, the client submits an authorization request to the authorization endpoint of the OP. When authentication and authorization with the OP is successful, the client receives an authorization grant (or code) from the OP. This authorization code can then be sent in a request to the token endpoint of the OP. The client receives an ID token, an access token, and a refresh token in the response from the token endpoint. The client then validates the ID token and retrieves the subject identifier of the user. This profile flow is intended for clients that can securely maintain a client secret between themselves and the OP, and also enables clients to obtain a refresh token.

Logout

The OpenID Connect Relying Party supports logout through the HttpServletRequest.logout() Java API call. This API call clears the LtpaToken2 cookies and any other cookies the OpenID Connect Relying Party created.
Important: Logout through the deprecated revokeSSOCookies() method and through the ibm_security_logout servlet is not supported.

Related:

OpenID Connect Relying Party custom properties
Configure an OpenID Connect Relying Party

Access token	A credential used to access protected resources. An access token is a string, and represents an authorization issued to the client.
Authorization Endpoint	A resource on an OpenID Provider that accepts an authorization request from a client to perform authentication and authorization on a user. The authorization endpoint returns an authorization grant (or code) to the client in the Basic Client Profile. In the Implicit Client Profile, the authorization endpoint returns an ID token and access token to the client.
Authorization grant	A credential that represents a user's authorization to access resources. This credential is used by a client to obtain an access token.
Claim	Information asserted about an entity. Examples of a claim include a phone number, first name or last name.
ID token	A JSON Web Token (JWT) containing claims about the authenticated user.
Introspection Endpoint	A resource on an OpenID Provider that enables a client that holds an access token to retrieve information. The information is used to create the access token (such as the user name, granted scopes, or client ID).
OpenID Provider (OP)	An OAuth 2.0 authorization server that can provide claims to a client, or Relying Party (RP).
Refresh token	A token issued to the client by the OP. The token is used to obtain a new access token when the current access token expires or to obtain more access tokens.
Relying Party (RP)	Either a WAS configured as an OpenID Connect Client, or a client application that requires claims from an OpenID Provider (OP).
Scope	Privilege or permission allowed to access resources of a third party.
Token Endpoint	A resource on an OpenID Provider that accepts an authorization grant (or code) from a client in exchange for an access token, ID token, and refresh token.