Standards


Back to Resources

OpenID Connect


OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications. Its design philosophy is ‘make simple things simple and make complicated things possible’.

While OAuth 2.0 is a generic access authorization delegation protocol, thus enabling the transfer of arbitrary data, it does not define ways to authenticate users or communicate information about them. OpenID Connect provides a secure, flexible, and interoperable identity layer on top of OAuth 2.0 so that digital identities can be easily used across sites and applications.

Read the docs to learn more about using OpenID Connect in the Gluu Server.

Where OpenID 2.0 made people remember long url ID’s, OpenID Connect standardizes on email. Connect allows a user to authenticate to an App, a service or a site (generically termed a Relying Party, or RP) using an identity established with any other OpenID Connect Identity Provider. This could be your Google or Facebook email address. Or, if you launch your own OpenID Connect Provider (OP) service using software like the Gluu Server, it could be any email address at your own domain!

The simplest deployment of OpenID Connect allows for clients of all types including browser-based, mobile, and javascript clients, to request and receive information about identities and currently authenticated sessions. The specification suite is extensible, allowing participants to optionally also support encryption of identity data, discovery of the OpenID Provider, and advanced session management, including logout.

Read the docs to learn more about using OpenID Connect in the Gluu Server.

How is OpenID Connect different than OpenID 2.0, SAML & OAuth?

OpenID Connect performs many of the same tasks as OpenID 2.0, OAuth and SAML, but does so in a way that is standardized and API-friendly. OpenID Connect can also be extended to include more robust mechanisms for signing and encryption. Integration of OAuth 1.0a and OpenID 2.0 required an extension (called the OpenID/OAuth hybrid); in OpenID Connect, OAuth 2.0 capability is built into the protocol itself. The following graphic presents a concise summary as to why OpenID Connect is well positioned for mass developer adoption. 

Why OpenID Connect?

Jargon

In OpenID Connect, the jargon has been altered (surprise!) and here are a few terms you should be familiar with:

  • OpenID Connect Provider (OP): This is the equivalent of an IdP in SAML. 
  • Relying Party (RP): What used to be SP’s, are now RP’s in OpenID Connect.
  • Clients: Clients are websites, apps, and devices.
  • Claims: Claims are groups of attributes that are released to Clients.

Read the docs to learn more about using OpenID Connect in the Gluu Server.

OpenID Connect Client (RP) Software

  • oxd: Gluu’s OpenID Connect middleware product with libraries for Php, Python, Java, Ruby, Python, and C#
  • mod_auth_openidc: Excellent Apache httpd web server filter. See instructions for configuration on Gluu docs
  • nginx plugin: Plugin by the author of mod_auth_openidc
  • AppAuth: Excellent mobile libraries for iOS and Android.
  • Javascript Implicit Flow Client: Read this blog by Nat Sakumura about how to easily write a client side javascript authentication

OpenID Connect Reading List

Read our docs to learn more about using OpenID Connect in the Gluu Server.

Get News and Product Updates