OpenID Connect
OpenID Connection is an extension for OAuth 2.0 and adds authentication capabilities on top of this authorization framework.
The primary additions to OAuth 2.0 are the introduction of an id_token and an userinfo API endpoint.
ID Token
The ID Token is a JWT with identity and authentication information. It provides information about the subject that was authenticated as well as some details about the authentication action.
Userinfo
The Userinfo endpoint is an API that provides user information. Depending on the setup and configured preferences, it provides very much the same information as an id_token. Depending on your use case, you often either use an id_token or the Userinfo endpoint.
Logout
Often forgotten but not less important: the logout process. The core specifications of OpenID Connect do not describe the logout process but additional specifications do. Idaas.nl has implemented OpenID Connect Front-Channel Logout 1.0.
Authentication Request
In OAuth 2.0 a client issues an authorization request. In OpenID Connect this authorization request is extend and is now referred to as an authentication request.
To goal of an authentication request is to identity the user. At a minimum, and OpenID Authentication request contains a query-parameter scope that includes the value openid. This is what characterizes all authentication requests.
This is an example.
https://login.limosa.io/oauth/authorize?response_type=code&client_id=8ec36338-6e65-4210-99da-5f7ceb8ca347&redirect_uri=https%3A%2F%2Fmy.idaas.nl%2Fcallback&scope=openid+applications:manage&state=zmg9uldm36&nonce=7yoqblfje8hhttps://login.limosa.io/oauth/authorize?response_type=code&client_id=8ec36338-6e65-4210-99da-5f7ceb8ca347&redirect_uri=https%3A%2F%2Fmy.idaas.nl%2Fcallback&scope=openid+applications:manage&state=zmg9uldm36&nonce=7yoqblfje8hApart from the OAuth 2.0 parameters, the following OpenID Connect specific parameters are supported by idaas.nl.
nonce
A required attribute in case the response_type contains id_token. It should contain a random value which ends up in the nonce-claim of the retrieved id_token. It is used to verify the id_token belongs to the initial authentication request.
acr_values
This attribute is used by idaas.nl to specify the required authentication level. Based on the levels specified, a subset of the configured authentication modules is presented to the user. In case only one module is possible, this module is automatically selected.
max_age
Specify the maximum lifetime of the current session.
prompt
If present, it should be either login or none.
display
If present, it should be popup.