OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications. Its design philosophy is ‘make simple things simple and make complicated things possible’.
While OAuth 2.0 is a generic access authorization delegation protocol, thus enabling the transfer of arbitrary data, it does not define ways to authenticate users or communicate information about them. OpenID Connect provides a secure, flexible, and interoperable identity layer on top of OAuth 2.0 so that digital identities can be easily used across sites and applications.
Where OpenID 2.0 made people remember long url ID’s, OpenID Connect standardizes on email. Connect allows a user to authenticate to an App, a service or a site (generically termed a Relying Party, or RP) using an identity established with any other OpenID Connect Identity Provider. This could be your Google or Facebook email address. Or, if you launch your own OpenID Connect IDP like the Gluu Server, it could be your email address at your very own domain!
How is OpenID Connect different than OpenID 2.0, SAML & OAuth?
OpenID Connect performs many of the same tasks as OpenID 2.0, OAuth and SAML, but does so in a way that is standardized and API-friendly. OpenID Connect can also be extended to include more robust mechanisms for signing and encryption. Integration of OAuth 1.0a and OpenID 2.0 required an extension (called the OpenID/OAuth hybrid); in OpenID Connect, OAuth 2.0 capability is built into the protocol itself. The following graphic presents a concise summary as to why OpenID Connect is well positioned for mass developer adoption.
In OpenID Connect, the jargon has been altered (surprise!) and here are a few terms you should be familiar with:
- OpenID Connect Provider (OP): This is the equivalent of an IdP in SAML.
- Relying Party (RP): What used to be SP’s, are now RP’s in OpenID Connect.
- Clients: Clients are websites, apps, and devices.
- Claims: Claims are groups of attributes that are released to Clients.
OpenID Connect Client (RP) Software
- oxd: Gluu’s OpenID Connect middleware product with libraries for Php, Python, Java, Ruby, Python, and C#
- mod_auth_openidc: Excellent Apache httpd web server filter. See instructions for configuration on Gluu docs
- nginx plugin: Plugin by the author of mod_auth_openidc
- AppAuth: Excellent mobile libraries for iOS and Android.
OpenID Connect Reading List
- OpenID Connect v. SAML v. OAuth 2.0
- When to use Implicit Flow
- OpenID Connect Audiences
- How To Control User Identity Within Microservices
- Slides from Microsoft:
- New Standards Emerging for HoK Tokens:
- Minimalist blog from Nat Sakimura:
- OpenID Connect Certifications:
- Overview from Travis Spencer (former Ping CTO):
- OAuth 2.0 Authentication
- Stop using JWT for sessions