Using OpenID Connect to authenticate a person in Java
The OpenID Connect Protocol offers Java developers a way to authenticate a person at any Internet domain that supports the standard. To accomplish this, the domain must provide a way to register clients--the website and mobile applications that use the authentication API offered by the domain.
Discovery is the first step! Luckily, its super-easy! All you have to
do is make a get request to
This will tell you everything you need to know about this OpenID Connect provider, like what are the endpoints (URLs), what crypto is supported, and what user claims can you ask for.
An example of a Discovery Request, using the oxAuth RP library.
In SAML, the website was called a "Service Provider." In OpenID Connect, the website (or mobile application) is called a "Client". Clients can be registered manually by the OP, but more frequently, clients use the Dynamic Registration API to automate the process.
Obtaining the id_token
After your client is registered, it is time to get down to business. OpenID Connect offers two common workflows for authentication: basic (where the person is using a browser, and can be re-directed) and implicit where the client sends the credentials, including the secret. There is a useful implements guide for basic and implicit.
See OpenID Connect plugin for Passport for further details.