Stack Overflow
Stack Overflow

Questions tagged [openid-connect]

OpenID Connect (OIDC) is a REST-friendly protocol for the (possibly cross-domain) exchange of user identity built on top of the OAuth 2.0 and JWT specifications.

OpenID Connect is a protocol built on top of OAuth2.0 and OpenID. The specification can be accessed from this link. OAuth2.0 is a authorization framework which is defined by RFC6749. The RFC for OAuth2.0 specification can be accessed from this link. In this protocol, trust between resource owner and resource server(authentication) is built on top of tokens.

As previously mentioned, OpenID Connect provide ability to authorize and authenticate using identities stored in a common location. The specification is built around HTTP and targets web resources. OpenID Connect introduce a token type namely ID Token, which is a JSON Web Token (JWT). Identity information for authorized user are transferred through the ID Token. Once an ID Token is received, it can be verified to authenticate the end user. For this, JWT specification (RFC7519) defines a verification method which include token signing or encryption.

Beside the ID Token, OpenID Connect inherits access tokens, refresh tokens and other defined entities from OAuth2.0.

There are two fundamental endpoints for an OpenID Connect provider. They are authorization endpoint and token endpoint. Relying party, the party who rely on tokens issued from OpenID Connect provider, communicate with these endpoints to authorize and receive tokens. Relying party consumes these tokens authenticate the end user and communicate with resource server using these tokens.

To obtain relevant tokens, specification present three types of flows. They are,

1. Authorization code flow

2. Implicit flow

3. Hybrid flow

Authorization code flow is ideal for confidential clients. Confidential clients are clients who have previously agreed secret shared between OpenID Connect provider. This flow is recommended as it is secure.

On the other hand, implicit flow is recommended for browser based public clients. Such clients do not have ability to protect a shared secret, hence there is not secret shared. The hybrid flow is a combination of authorization code flow and hybrid flow and can be utilized for confidential clients.

5301 questions
2
votes
1 answer

JMeter with OpenID Connect authentication

I'm trying to create performance testing with JMeter to our web application which uses OpenID Connect for authentication. I have used the following guide: https://www.blazemeter.com/blog/openid-connect-how-to-load-test-with-jmeter, but seemed not to…
sheng
  • 21
  • 1
  • 2
2
votes
1 answer

Appropriate X.509 settings for OIDC token-signing and token-validation

What are the basic requirements for secure X.509 self-signed certificates intended for use as OpenId Connect token-signing and token-validation credentials? I have an IdentityServer4 project, and I've been experimentally generating certificates with…
McGuireV10
  • 9,572
  • 5
  • 48
  • 64
2
votes
1 answer

Microsoft Graph api does not give birthday user information

In graph explorer the https://graph.microsoft.com/v1.0/me?$select=birthday endpoint gives me the example profile birthday but when I try it with my account I receive this error { "error": { "code": "ResourceNotFound", "message":…
thepi
  • 342
  • 2
  • 12
2
votes
1 answer

ADFS openid-connect from web application without OWIN

I have an existing web application that have a custom made authentication and login module. I would like to add login for some users via ADFS openid-connect but all examples I see is based on OWIN which I cannot use. My plan is to let some external…
Johan
  • 53
  • 5
2
votes
3 answers

Getting access token within Claims Transformer in ASP.NET Core

I'm developing a set of applications including an Identity Server using IdentityServer4, a .NET Core MVC app, a .NET Core WebAPI. As part of a asp.net core mvc application I am using AddOpenIdConnect to do authentication and doing options.SaveTokens…
Dom
  • 77
  • 1
  • 7
2
votes
0 answers

Cannot access OpenID connect UserInfo endpoint of AzureAD

I see that the userinfo endpoint is present on AzureAD OpenID Connect .well-known result. I want to access their UserInfo endpoint. I'm aware I will get the error if used with JWT tokens, error_description="AADSTS90010: JWT tokens cannot be used…
Jeff Ray
  • 21
  • 2
2
votes
0 answers

Keycloak: my secured resources are accessible without login

I am trying to secure my sample web project using keycloak. web.xml
valijon
  • 1,304
  • 2
  • 20
  • 35
2
votes
0 answers

Identity Server 4 Authorization Code Flow with Client Credentials (allowing one client instance deny another)

What I got so far: In a project I have an authorization server (Identity Server 4), some (let's say two) protected APIs (Api Resource) and some trusted clients (automated, no user interaction) which should access the Identity Server via the…
monty
  • 7,888
  • 16
  • 63
  • 100
2
votes
1 answer

How do OpenId Connect's id token feed into a subsequent OAuth2 flow for authorizing access on another resource?

Assume aim is to authorize access to Resource Server (RS) resource.com/resource via access token but using OpenId Connect for authentication instead of relying on custom authentication integrations of Authorization Server available in OAuth2. I am…
NicuMarasoiu
  • 776
  • 9
  • 25
2
votes
1 answer

IdentityServer4 Client Scopes and User Claims based authorization

I have an IdentityServer4 that I use for authentication/authorization and I am a little confused on how to achieve the following: if I have let us say 2 clients, and they are trying to access 2 APIs (each client can access one of them), however I…
Yahya Hussein
  • 8,767
  • 15
  • 58
  • 114
2
votes
0 answers

Do Nginx Proxies automatically forward the Authorization Header

Or do we need something like proxy_pass_header Authorization in the proxy configuration? The end goal would be to ensure that api endpoints get the JWT token.
Ole
  • 41,793
  • 59
  • 191
  • 359
2
votes
0 answers

How do I use custom logic in Identity Server 4 to limit who can be issued an id token or access token

I've got a SPA written with with Angular, and it communicates with a few APIs (also owned by me) to do all of its work. To secure the application, I am using Identity Server 4 with AAD as the single external provider. I'm using a route guard in…
devbmc
  • 35
  • 5
2
votes
1 answer

OAuth2 authorization interface using KeyCloak

I'm trying to use KeyCloak as identity provider service for 3rd party applications support. The idea is to register the client application in KeyCloak, trusted clients will not require this authorization approval, but there should be "untrusted"…
yyunikov
  • 5,719
  • 2
  • 43
  • 78
2
votes
2 answers

IdentityServer Hybrid Flow - Access Token is null after user successful login

I'm having problems in retrieving access token of an authenticated user. below is my configuration ASP.NET MVC 5 Client: OpenIdConnect IdentityServer3 libraries ResponseType = "code id_token" ASP.NET Core Identity Server: IdentityServer4…
pau_learnstocode
  • 73
  • 3
  • 9
2
votes
0 answers

OpenID Connect for Azure Active Directory

I am trying to use this module: https://www.drupal.org/project/openid_connect_windows_aad But, when I install it, it says something is missing, but does not state what is missing. Per the requirements, I also have OpenID Connect installed, but…
jason
  • 3,821
  • 10
  • 63
  • 120
1 2 3
99
100