OpenID Connect 1.0 Explained

OPENID CONNECTR

ELY

ING

PA

RTY

OPEN

ID P

RO

VID

ER Relying Party (RP)

Client Application

OpenID ProviderOAuth2.0 Server capable of Authenticating the End-User and providing Claims

End UserHuman Participant

OPENID CONNECTR

ELY

ING

PA

RTY

OPEN

ID P

RO

VID

ER Step 1

Client sends request to OpenID Provider (OP)

1

OPENID CONNECTR

ELY

ING

PA

RTY

OPEN

ID P

RO

VID

ER Step 2

OP authenticates End-User and obtains authorization

1

2

Request is OAuth2.0 using code, implicit or hybrid flow

Once authenticated OP MUST obtain End-User consent/authorization

OPENID CONNECTR

ELY

ING

PA

RTY

OPEN

ID P

RO

VID

ER Step 3

OP sends ID token and usually an Access Token to RP

1

2

ID Token is represented as a Json Web Token (JWT)An ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims (some shown in Step 4).

3

OPENID CONNECTR

ELY

ING

PA

RTY

OPEN

ID P

RO

VID

ER Step 4

RP can send a request with the Access Token for UserInfo Endpoint

1

2

UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the End-User

3

Some Claims: name, email_verified, birthdate, locale, address, profile

4

OPENID CONNECTR

ELY

ING

PA

RTY

OPEN

ID P

RO

VID

ER Step 5

UserInfo Endpoint returns Claims about End-User as a JWT

1

2

3

4

5

OPENID CONNECT

References

OpenID Core 1.0http://openid.net/specs/openid-connect-core-1_0.html

JWT Spechttp://tools.ietf.org/html/draft-ietf-oauth-json-web-token

Eugene Siow <[email protected]>

Software

OpenID Connect 1.0 Explained