OpenID Connect Overview

OpenID Connect Overview

architect

Brief overview of the OpenID Connect Standard.

Overview

In this article we will take a look at the main benefits of OpenID Connect.


The benefits of standards

A world of libraries and communities exist when using open standards. In security it’s is rarely a good idea to invent a protocol yourself.

By using standard integrations, developers can focus on business value instead of security. You don’t have to worry about dependencies to proprietary integration packages and SDKs.

Over time, new standards will emerge, and will have to be supported, if and when this occurs, already using a standard will make the transition to new standards smoother.

What is OpenID Connect?

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It specifies an extensible suite for client and end-user identity interaction that allows web, mobile, and script clients to request and receive information about authenticated sessions and end-users as well as providing access to backend APIs using OAuth 2.0 tokens.

This allows an identity provider to provide clients with end-user identification and basic profile information. The specification is available at https://openid.net/specs/openid-connect-core-1_0.html.

OpenID Connect - the internet identity layer

OpenID Connect is the leading Internet standard for cross domain single sign-on and identity. It uses JWTs (JSON Web Tokens) as identity token format and extends OAuth 2.0 flows that work for the web, mobile apps and mobile browsers.

The main benefit of using OpenID Connect is that it provides a completely standardized set up, with no additional surprises. Since it is built on OAuth 2.0 it is API ready, but adds the missing pieces in OAuth so that the client can know who logged in, how strongly etc.

OpenID Connect doesn’t itself define how authentication should be performed but it provides a standardized protocol on how to ask for authentication, and how the result of authentication should be presented to the client.

API-ready

OpenID Connect is API ready, since it is based on OAuth 2, already a great standard for providing authorization with a good set of flows, that OpenID Connect expands on.

JSON

The response format and sometimes the request formats are based on JSON.

JSON (JavaScript Object Notation) is human-readable, but still suitable for machine parsing, is language independent and has simple conventions, making it easy to work with. As it consists of name/value-pairs in an ordered list of values, it is a good data-interchange format.

JWT

JSON Web Tokens (JWT pronounced jot) is a JSON-based open standard for creating tokens that assert some number of claims. It consists of claims encoded into a JSON object.

The tokens are signed or encrypted, allowing all parties in possession of the key to be able to verify that the token is legitimate. Depending on type of keys and algorithms used JWTs can be secured against tampering, eves dropping and non repudiation.

Mobile friendly

OpenID Connect is a protocol designed to support mobile applications. It works well in both mobile apps and web apps. It supports mobile single sign-on.

Key distribution

OpenID Connect allows you to dispense with managing and distributing certificates or other methods requiring even greater amounts of overhead. The protocol provides a key distribution mechanism called JSON Web Key Set (JWKS).

No Crossover

With OpenID Connect, it is easy to separate different login domains, completely avoding crossover between domains.

User Information

OpenID Connect provides endpoints for Clients to use when they need access to user data. It also provides mechanisms for the user to consent before this data is released to the client.


The Curity Solution

Curity provides the full benefits of OAuth and OpenID Connect standards, but also offers additional functionality to combat the risk for scope explosion.

There is also special handling of claims and scopes, such as mapping claims to specific clients and custom groupings that allow for greater flexibility and a more manageable architecture.

More information

For more information, see the mentioned articles above, or the Curity Developer Portal

Let’s Stay in Touch!

Get the latest on identity management, API Security and authentication straight to your inbox.

Keep up with our latest articles and how-tos using RSS feeds