Stack Overflow
Stack Overflow

Questions tagged [openid-connect]

OpenID Connect (OIDC) is a REST-friendly protocol for the (possibly cross-domain) exchange of user identity built on top of the OAuth 2.0 and JWT specifications.

OpenID Connect is a protocol built on top of OAuth2.0 and OpenID. The specification can be accessed from this link. OAuth2.0 is a authorization framework which is defined by RFC6749. The RFC for OAuth2.0 specification can be accessed from this link. In this protocol, trust between resource owner and resource server(authentication) is built on top of tokens.

As previously mentioned, OpenID Connect provide ability to authorize and authenticate using identities stored in a common location. The specification is built around HTTP and targets web resources. OpenID Connect introduce a token type namely ID Token, which is a JSON Web Token (JWT). Identity information for authorized user are transferred through the ID Token. Once an ID Token is received, it can be verified to authenticate the end user. For this, JWT specification (RFC7519) defines a verification method which include token signing or encryption.

Beside the ID Token, OpenID Connect inherits access tokens, refresh tokens and other defined entities from OAuth2.0.

There are two fundamental endpoints for an OpenID Connect provider. They are authorization endpoint and token endpoint. Relying party, the party who rely on tokens issued from OpenID Connect provider, communicate with these endpoints to authorize and receive tokens. Relying party consumes these tokens authenticate the end user and communicate with resource server using these tokens.

To obtain relevant tokens, specification present three types of flows. They are,

1. Authorization code flow

2. Implicit flow

3. Hybrid flow

Authorization code flow is ideal for confidential clients. Confidential clients are clients who have previously agreed secret shared between OpenID Connect provider. This flow is recommended as it is secure.

On the other hand, implicit flow is recommended for browser based public clients. Such clients do not have ability to protect a shared secret, hence there is not secret shared. The hybrid flow is a combination of authorization code flow and hybrid flow and can be utilized for confidential clients.

5301 questions
2
votes
2 answers

Specifying Client secrets in JwtBearerOptions for Azure Active Directory authentication

If I create a new ASP.NET Core MVC application in Visual Studio 2017, I can add client secrets with one line to AzureAdServiceCollectionExtensions: public void Configure(string name, OpenIdConnectOptions options) { options.ClientId =…
Justin Dearing
  • 14,270
  • 22
  • 88
  • 161
2
votes
0 answers

Slack: 3rd party account linking

I wonder if it is possible to use account linking (like you can do e.g. with Google Actions or Amazon Alexa) with a Slack bot in order to use customer information from my ownd 3d party service/app. One use case would be like: add slack bot (e.g. a…
thomas
  • 21
  • 3
2
votes
1 answer

silent renew in oidc-client-js does not work

I am using oidc-client-js library to work with IdentityServer3, it works perfect but I cannot set up automatic “silent token renew” each time when oidc-client-js tries to renew token I get error in console Refused to display …
Alexander Andriets
  • 81
  • 2
  • 7
2
votes
1 answer

Windows Authentication does not accept credentials

I have an Identity Server (ASP.NET Core 2 with Identity Server 4 2.0.0) configured to use Kestrel and IISIntegration, with both Anonymous and Windows authentication enabled on launchSettings.json. I also configured IISOptions like…
Camilo Terevinto
  • 31,141
  • 6
  • 88
  • 120
2
votes
2 answers

Multiple authenticaion schemes in asp .net core 2.0

I need to support two authentication types in ASP.NET Core 2.0 MVC application: AddIdentityServerAuthentication AddOpenIdConnect It was very easy in ASP.NET Core 1.0 version. But in version 2.0 version syntax changed. This is my…
Astemir Almov
  • 396
  • 2
  • 16
2
votes
1 answer

Babel - Cannot read property 'TYPED_ARRAY_SUPPORT' of undefined

I'm trying to use oidc-client library in my React project but run into the same error everytime I run the code : Babel - Cannot read property 'TYPED_ARRAY_SUPPORT' of undefined I know that there's a specific Redux implementation of this library…
Carvallegro
  • 1,241
  • 4
  • 16
  • 24
2
votes
0 answers

infinite redirect loop after login from Azure Active Directory to web app - not HTTPS issue

I'm seeing some really strange behavior in one of my azure applications. I'm using OpenID and Azure Active directory for logging into my site. When I first deploy my application and log in, it works perfectly and will continue to work (log out and…
Blair Holmes
  • 1,521
  • 2
  • 22
  • 35
2
votes
0 answers

Identity Server 4 / Single SignOut and SignOut from External IdP at the same time

I have an IdentityServer 4 host, acting as IdP for several apps. IdSrv uses an external provider for user authentiction. On SignOut request from any app I have to close all existing sessions for the user. Single signout using FrontChannelLogoutUri…
d_f
  • 4,599
  • 2
  • 23
  • 34
2
votes
0 answers

Gmail accounts logged in through Outlook

I managed to log in with my Gmail account in Outlook web mail client without going through the steps in this article:…
D. Gencheva
  • 226
  • 3
  • 11
2
votes
0 answers

Reference flow for OAuth2 password flow + 3rd party OpenID Connect

We have a working REST API which uses OAuth2 password grant (for access through our own Web UI) and client credentials grant (for scripted access), and may allow other grants in the future. Recently a request came up to support 3rd party Single…
shevron
  • 3,463
  • 2
  • 23
  • 35
2
votes
0 answers

How to use bearer-only access type authentication for Keycloak for asp.net APIs?

I have created a sample REST api and secured using Keycloak OpenID connect. For the client I have selected confidential access type. When i run the application it will redirect to keycloak login page and authentication works good. but I want to…
YBN
  • 62
  • 5
2
votes
1 answer

Adding custom Claim for access in API with IdentityServer4

I'm trying to work with a application to use IdentityServer4, it has the basic setup of the identity server, MVC client, and web API. I have a custom Profile service (which I've registered in Startup.cs) where I'm adding a custom claim, here's my…
Steven
  • 18,761
  • 70
  • 194
  • 296
2
votes
2 answers

ASP.NET Core application gets into infinite loop of authentication with IdentityServer3

Background We have ASP.Net Core application which is in production for last 1 year. Recently we have converted our application from VS 2015 to VS 2017. So we moved from json based project to csproj based project. We also upgraded .NET Core runtime…
LP13
  • 30,567
  • 53
  • 217
  • 400
2
votes
0 answers

Keycloak IdP brokering to SAML 2.0 IdP providers (ping federate)

I have a Rest service which is registered as bearer-only client in Keycloak (openid-connect). This Rest service works fine with keycloak auth protection. I also have Angular Web UI which bootstaps by keycloak js adaptor and get login screen from…
Sandeep Kumar
  • 288
  • 1
  • 11
2
votes
1 answer

Keycloak Refresh Token Unauthorized asp .net core

Working an application requires Refresh Token from OIDC (keycloak) to get authorisation for accessing resources. But it seems like the RefreshToken that returned seems to be expired or leaking. The issue is that I'm able to log into the application…
Alan Chang
  • 149
  • 12
1 2 3
99
100