by Dennis Guse
2023-09-19
"Process used to achieve sufficient confidence in the binding between the Entity and the presented Identity."OpenIDConnect Core 1.0, 2014
"Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system."NIST FISP-200, 2006
Relying Party
User
HTTP/1.1 302 Found
Location: https://idp.example.com/authorize?
response_type=code
&scope=openid profile email phone address
&client_id=rp.example.com
&redirect_uri=https://rp.example.com/login-callback
HTTP/1.1 302 Found
Location: https://rp.example.org/cb?
code=SomeRandomAuthenticationCode
Request:
POST /token HTTP/1.1
Host: idp.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Credentials
grant_type=authorization_code
&code=SomeRandomAuthenticationCode
Response:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"token_type": "Bearer",
"access_token": "SomeAccessToken",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ......"
}
GET /userinfo HTTP/1.1
Host: idp.example.com
Authorization: Bearer SomeAccessToken
// Response
HTTP/1.1 200 OK
Content-Type: application/json
{
"sub": "identity123456",
"given_name": "Alice",
"preferred_username": "a.doe",,
"picture": "http://example.com/alice/me.jpg"
}
An IDP exposes the following endpoints
GET /authorize
POST /token
GET /userinfo
GET /.well-known/openid-configuration
OpenID Connect: Discovery 1.0
Options:
OpenID Connect IDPs: