Stack Overflow
Stack Overflow

Questions tagged [openid-connect]

OpenID Connect (OIDC) is a REST-friendly protocol for the (possibly cross-domain) exchange of user identity built on top of the OAuth 2.0 and JWT specifications.

OpenID Connect is a protocol built on top of OAuth2.0 and OpenID. The specification can be accessed from this link. OAuth2.0 is a authorization framework which is defined by RFC6749. The RFC for OAuth2.0 specification can be accessed from this link. In this protocol, trust between resource owner and resource server(authentication) is built on top of tokens.

As previously mentioned, OpenID Connect provide ability to authorize and authenticate using identities stored in a common location. The specification is built around HTTP and targets web resources. OpenID Connect introduce a token type namely ID Token, which is a JSON Web Token (JWT). Identity information for authorized user are transferred through the ID Token. Once an ID Token is received, it can be verified to authenticate the end user. For this, JWT specification (RFC7519) defines a verification method which include token signing or encryption.

Beside the ID Token, OpenID Connect inherits access tokens, refresh tokens and other defined entities from OAuth2.0.

There are two fundamental endpoints for an OpenID Connect provider. They are authorization endpoint and token endpoint. Relying party, the party who rely on tokens issued from OpenID Connect provider, communicate with these endpoints to authorize and receive tokens. Relying party consumes these tokens authenticate the end user and communicate with resource server using these tokens.

To obtain relevant tokens, specification present three types of flows. They are,

1. Authorization code flow

2. Implicit flow

3. Hybrid flow

Authorization code flow is ideal for confidential clients. Confidential clients are clients who have previously agreed secret shared between OpenID Connect provider. This flow is recommended as it is secure.

On the other hand, implicit flow is recommended for browser based public clients. Such clients do not have ability to protect a shared secret, hence there is not secret shared. The hybrid flow is a combination of authorization code flow and hybrid flow and can be utilized for confidential clients.

5301 questions
1150
votes
23 answers

What's the difference between OpenID and OAuth?

I'm really trying to understand the difference between OpenID and OAuth? Maybe they're two totally separate things?
Micah
  • 111,873
  • 86
  • 233
  • 325
164
votes
3 answers

Single sign-on flow using JWT for cross domain authentication

There is a lot of information on the web about using JWT (Json Web Token) for authentication. But I still didn't find a clear explanation of what the flow should be when using JWT tokens for a single sign-on solution in a multiple domains…
electrotype
  • 8,342
  • 11
  • 59
  • 96
136
votes
8 answers

Difference between OAuth 2.0 "state" and OpenID "nonce" parameter? Why state could not be reused?

OAuth 2.0 defines "state" parameter to be sent in request by client to prevent cross-site request attacks. Same is mentioned in OpenID spec for "nonce". Apart from the fact that "nonce" is returned in ID token instead of query parameters, they…
dvsakgec
  • 3,514
  • 4
  • 28
  • 35
118
votes
5 answers

.NET Core Identity Server 4 Authentication VS Identity Authentication

I'm trying to understand the proper way to do authentication in ASP.NET Core. I've looked at several Resource (Most of which are out dated). Simple-Implementation-Of-Microsoft-Identity Introduction to Authentication with ASP.Core MSDNs…
johnny 5
  • 19,893
  • 50
  • 121
  • 195
118
votes
8 answers

What is intent of ID Token expiry time in OpenID Connect?

In OpenID Connect an access token has an expiry time. For authorization code flow, this is typically short (eg 20 minutes) after which you use the refresh token to request a new access token. The ID token also has an expiry time. My question is…
Appetere
  • 6,003
  • 7
  • 35
  • 46
82
votes
4 answers

How to specify refresh tokens lifespan in Keycloak

Keycloak refresh token lifetime is 1800 seconds: "refresh_expires_in": 1800 How to specify different expiration time? In Keycloak admin UI, only access token lifespan can be specified:
rok
  • 9,403
  • 17
  • 70
  • 126
81
votes
7 answers

Verifying JWT signed with the RS256 algorithm using public key in C#

Ok, I understand that the question I am asking may be pretty obvious, but unfortunately I lack the knowledge on this subject and this task seems to be quite tricky for me. I have an id token (JWT) returned by OpenID Connect Provider. Here it…
Dmitry Nikolaev
  • 3,803
  • 2
  • 19
  • 23
57
votes
4 answers

IdentityServer Flows

IdentityServer supports different OpenId Connect flows that are defined in the Flows enum and set for clients. There's also samples for each type of flow and many references to them in the docs but I could not find a simple definition list of what…
orad
  • 15,272
  • 23
  • 77
  • 113
54
votes
5 answers

Clarification on id_token vs access_token

I'm building a system with OIDC and OAuth 2.0 (using Auth0), and I'm unsure how to properly use the id_token and access_token. Or rather, I'm confused about which roles to assign to the various services in my setup. I have a fully static…
Christian Johansen
  • 1,861
  • 1
  • 16
  • 22
53
votes
4 answers

Login to Keycloak using API

I have 2 different applications: say Application1 and Application2. I have integrated Application2 with keycloak and I am able to login to this application using Keycloak's login page. Now what I want is, if I login to my Application1 (without…
Akhil Prajapati
  • 1,221
  • 3
  • 14
  • 23
43
votes
1 answer

Verify a signature in JWT.IO

I have generated the following token and am trying to verify the signature with http://jwt.io I have also attached the contents of my jwks endpoint that should have all the details I need to verify. So my question is: how do I get this to say…
Jeremy Gray
  • 1,378
  • 1
  • 9
  • 24
38
votes
3 answers

Can I use AWS cognito to provide a open id connect endpoint?

I want to use AWS cognito as a OpenId connect provider.My AWS cognito IDP will intern call my another OpenId provider to authenticate the user. It will then create its new token and hand over to callers as its own. The OpenID provider used…
user93796
  • 18,749
  • 31
  • 94
  • 150
38
votes
2 answers

Getting Scope Validating error in Identity Server 4 using JavaScript Client in asp.net core

I am getting the below error while making a request to my Identity Server application from my Javascript Client Application. fail: IdentityServer4.Validation.ScopeValidator[0] Invalid scope: openid I have made sure I add the scope in my Identity…
maxspan
  • 13,326
  • 15
  • 75
  • 104
37
votes
5 answers

I am getting "code challenge required" when using IdentityServer4

I am trying to redirect to IdentityServer for authorization, and getting "code challenge required" in redirect URL. An error message shows invalid_request with code challenge required, and also my redirect url…
Shushan
  • 373
  • 1
  • 3
  • 5
37
votes
4 answers

Custom attribute not passed into ID_TOKEN created by AWS Cognito

I am not able to get custom attribute in ID_TOKEN returned from AWS Cognito after successful user login. Steps I tried : 1.Created user pool 2.Created app client and checked the custom attribute(customattrib1,customattrib2) User Pool screen : Check…
Mahesh_Loya
  • 2,743
  • 3
  • 16
  • 28
1
2 3
99 100