Upload
eugene-siow
View
42
Download
2
Embed Size (px)
Citation preview
OPENID CONNECTR
ELY
ING
PA
RTY
OPEN
ID P
RO
VID
ER Relying Party (RP)
Client Application
OpenID ProviderOAuth2.0 Server capable of Authenticating the End-User and providing Claims
End UserHuman Participant
OPENID CONNECTR
ELY
ING
PA
RTY
OPEN
ID P
RO
VID
ER Step 1
Client sends request to OpenID Provider (OP)
1
OPENID CONNECTR
ELY
ING
PA
RTY
OPEN
ID P
RO
VID
ER Step 2
OP authenticates End-User and obtains authorization
1
2
Request is OAuth2.0 using code, implicit or hybrid flow
Once authenticated OP MUST obtain End-User consent/authorization
OPENID CONNECTR
ELY
ING
PA
RTY
OPEN
ID P
RO
VID
ER Step 3
OP sends ID token and usually an Access Token to RP
1
2
ID Token is represented as a Json Web Token (JWT)An ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims (some shown in Step 4).
3
OPENID CONNECTR
ELY
ING
PA
RTY
OPEN
ID P
RO
VID
ER Step 4
RP can send a request with the Access Token for UserInfo Endpoint
1
2
UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the End-User
3
Some Claims: name, email_verified, birthdate, locale, address, profile
4
OPENID CONNECTR
ELY
ING
PA
RTY
OPEN
ID P
RO
VID
ER Step 5
UserInfo Endpoint returns Claims about End-User as a JWT
1
2
3
4
5
OPENID CONNECT
References
OpenID Core 1.0http://openid.net/specs/openid-connect-core-1_0.html
JWT Spechttp://tools.ietf.org/html/draft-ietf-oauth-json-web-token
Eugene Siow <[email protected]>