OpenID Connect Overview
This article gives a brief overview of the OpenID Connect standard and its main benefits.
A world of libraries and communities exist when using open standards. In security it’s is rarely a good idea to invent a protocol yourself.
By using standard integrations, developers can focus on business value instead of security. You don’t have to worry about dependencies to proprietary integration packages and SDKs.
Over time, new standards will emerge, and will have to be supported, if and when this occurs, already using a standard will make the transition to new standards smoother.
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It specifies an extensible suite for client and end-user identity interaction that allows web, mobile, and script clients to request and receive information about authenticated sessions and end-users as well as providing access to backend APIs using OAuth 2.0 tokens.
This allows an identity provider to provide clients with end-user identification and basic profile information. The specification is available at https://openid.net/specs/openid-connect-core-1_0.html.
Custom Authentication without Code
The Authentication Service is an advanced authentication multiplexor that can be configured to meet any app or website’s needs. With 25+ ready-made methods and a workflow engine of actions running on login and SSO, the Curity Identity server allows you to authenticate users for API access without custom code.
The Token Service is the cornerstone for securing APIs. It is responsible for issuing tokens (tickets) with information about the caller for access control decisions. To really leverage on OAuth and OpenID Connect for distributed authorization, a flexible Token Service is a necessity.
One API to Manage Users
The User Management Service offers a standardized way to manage users and simplifies access to legacy data sources. You can integrate with any user repository or database, allowing developers to work with JSON over REST, instead of SQL queries and LDAP operations.
Advanced Configuration Management
Curity Identity Server comes with a carrier-grade configuration service, where transaction-based changes, rollbacks, backups can be made of your entire cluster with a single command. The cohesive configuration service provides an easy-to-use Web UI, scriptable Juniper-style CLI, standards-based RESTCONF API and XML config files, built for automation and massive scale.
Deploy on Any Platform
The Curity Identity Server can be deployed in any environment and fits easily into your CI/CD pipelines with its multi-faceted management capabilities. With ready-made Docker images and Kubernetes helm charts, a Curity cluster that auto-scales linearly without inter-node dependencies can be setup in hours.
OpenID Connect is API ready, since it is based on OAuth 2, already a great standard for providing authorization with a good set of flows, that OpenID Connect expands on.
The response format and sometimes the request formats are based on JSON.
JSON Web Tokens (JWT pronounced jot) is a JSON-based open standard for creating tokens that assert some number of claims. It consists of claims encoded into a JSON object.
The tokens are signed or encrypted, allowing all parties in possession of the key to be able to verify that the token is legitimate. Depending on type of keys and algorithms used JWTs can be secured against tampering, eves dropping and non repudiation.
OpenID Connect is a protocol designed to support mobile applications. It works well in both mobile apps and web apps. It supports mobile single sign-on.
OpenID Connect allows you to dispense with managing and distributing certificates or other methods requiring even greater amounts of overhead. The protocol provides a key distribution mechanism called JSON Web Key Set (JWKS).
With OpenID Connect, it is easy to separate different login domains, completely avoding crossover between domains.
OpenID Connect provides endpoints for Clients to use when they need access to user data. It also provides mechanisms for the user to consent before this data is released to the client.
With the Curity Identity Server, you get a Single Sign-On solution with all the benefits of the OpenID Connect standard, but also offers expanded features based on these standards, with a clearly implemented Neo-Security Architecture.
The Curity Identity Server does provide the standard OpenID Connect benefits for SSO, but also enables a range of other options that further improve the SSO experience and security.
Since you are sharing the SSO session between domains, it makes sense to also make that clear to the user through a unified user experience. In the Curity Identity Server, this is automatically enabled through the configuration.
In the Curity Identity Server you can define in detail not only how to share the SSO session, but also specify which other data to share, allowing for differentiated security based on which client is making requests.
In the Curity Identity Server, it’s possible to run an OpenID Connect flow in a secure iframe. This means that the frame is only embeddable from the sites that have been pre-configured in the Curity Identity Server. Any other attempt to embed the frame will cause the frame to not load or to break out.
This makes it possible for organizations keep the user on the same site even when authenticating.
Not only does the Curity Identity Server support SSO but it also supports all single logout mechanisms defined in the OpenID Connect standard, giving you the perfect tools for ensuring that SSO is securely cleaned up.
For more information, see the Curity Developer Portal.