OpenID Connection is an extension for OAuth 2.0 and adds authentication capabilities on top of this authorization framework.
The primary additions to OAuth 2.0 are the introduction of an
id_token and an
userinfo API endpoint.
The ID Token is a JWT with identity and authentication information. It provides information about the subject that was authenticated as well as some details about the authentication action.
The Userinfo endpoint is an API that provides user information. Depending on the setup and configured preferences, it provides very much the same information as an
id_token. Depending on your use case, you often either use an
id_token or the Userinfo endpoint.
Often forgotten but not less important: the logout process. The core specifications of OpenID Connect do not describe the logout process but additional specifications do. Idaas.nl has implemented OpenID Connect Front-Channel Logout 1.0.
In OAuth 2.0 a client issues an authorization request. In OpenID Connect this authorization request is extend and is now referred to as an authentication request.
To goal of an authentication request is to identity the user. At a minimum, and OpenID Authentication request contains a query-parameter
scope that includes the value
openid. This is what characterizes all authentication requests.
This is an example.
Apart from the OAuth 2.0 parameters, the following OpenID Connect specific parameters are supported by
A required attribute in case the
id_token. It should contain a random value which ends up in the nonce-claim of the retrieved
id_token. It is used to verify the
id_token belongs to the initial authentication request.
This attribute is used by
idaas.nl to specify the required authentication level. Based on the levels specified, a subset of the configured authentication modules is presented to the user. In case only one module is possible, this module is automatically selected.
Specify the maximum lifetime of the current session.
If present, it should be either
If present, it should be