OpenID Connect (OIDC) authentication
OpenID Connect is a simple identity protocol and open standard that is built using the OAuth 2.0 protocol. It enables client applications to rely on authentication that is performed by an OpenID Connect Provider (OP) to verify the identity of a user. OpenID Connect uses OAuth 2.0 for authentication and authorization, and then builds identities that uniquely identify users.
WebSEAL provides a native OpenID Connect relying partner (RP) capability that is able to consume an identity token which has been provided by an OpenID Connect Provider in order to establish an authenticated session.
The WebSEAL implementation does not implement the complete specification for OIDC relying parties. The following parts of the specification are not supported by WebSEAL:
--> -->
Section Description 3.3 Hybrid Flow 5.3 Retrieving claims from the UserInfo Endpoint 6 Request Parameters as JWTs 8.1 Pairwise Subject Identifier Type 9 Only the client_secret_basic authentication type will be supported. 10.2 JWE - Encryption of the JWT 11 Offline Access 12 Use refresh tokens for authentication 15.3 Dynamic registration will not be supported.
In addition to this, the key identifier (KID) is required to be present in the JSON Web Key Set (JWKS) which is obtained from the OP.
If we need the complete RP capabilities, IBM recommends that you instead use the RP provided as a part of the ISAM Federation offering.
- Landing page
A new landing page has been introduced to WebSEAL to handle the OIDC RP capability: ‘/pkmsoidc’.- Authentication flow
The OIDC specification states that authentication can follow one of three paths: the Authorization Code Flow, the Implicit Flow, or the Hybrid Flow. The flow determines how the ID Token and Access Token are returned to the Client. The Authorization Code Flow and the Implicit Flow are described below (please note that WebSEAL does not support the Hybrid Flow).- Enable and disable OIDC authentication
The oidc-auth stanza entry is located in the [oidc] stanza of the WebSEAL configuration file. It enables and disables the OIDC authentication method.- Configure the OIDC RP
The RP functionality is configured using the ‘[oidc]’ and ‘[oidc:<op-id>]’ stanzas. Multiple OPs may be configured for authentication by creating a separate ‘[oidc:<op-id>]’ stanza for each OP, where the ‘<op-id>’ qualifier is a unique name for the OP. This qualifier can then be used to distinguish authentication requests for different OPs, using the ‘iss’ argument to the ‘/pkmsoidc’ landing page. A default OP might also be specified using the default-op configuration entry, used as the default if no OP is specified in the iss argument to the ‘/pkmsoidc?iss=’ landing page.- Error handling
If an error is encountered by the OP during the processing of the authorization grant during an authorization code flow, WebSEAL will return the following error page to the client: 3898342f.html. The following macro’s will be set based on the error response received from the OP:
Parent topic: Authentication methods
Related concepts
- Basic authentication
- Forms authentication
- Client-side certificate authentication
- Token authentication
- Kerberos authentication through an External Authentication Interface (EAI)
- Windows desktop single sign-on
- LTPA authentication
- OAuth Authentication
Related reference