17.7.2.1.8. OpenID Connect

In order to enable OpenID Connect, the given target application has to be configured using the "OpenID Connect Identity Propagator" instead of the "OAuth 2.0 Authorization Grant Identity Propagator". Configuring OpenID Connect is identical to configuring OAuth 2.0 with the exception of a few properties added for the OpenID Connect features.

The main difference to OAuth 2.0 is the ID Token, a signed proof of user authentication, sent to the OpenID Connect client together with the access and refresh tokens. The ID Token holds general information about the authentication and authorization, such as the authentication time, client id of the OpenID Connect client, name of the token issuer or the username of the authenticated user.

The ID Token can be used to proof authentication without exposing the access token and the user privileges tied to it. Additionally, if the OpenID Connect client only needs the information present in the ID Token, no requests to resource endpoints are needed.

Signatures or MACs are used to ensure the ID Token's authenticity. Even though it is possible to not sign/MAC the ID Token by configuring 'No Signature', we recommend to always apply a signature or MAC and check it on the Client.

The signing/MAC algorithms can be configured in the "OpenID Connect Authorization Server Settings" using the property "ID Token Signer".

Discovery

An IAM OpenID Connect OP (authorization server) will provide its metadata (see OpenID Connect Discovery Spec) under the URL:

<URL of Loginapp>/oauth2/<URL encoded client id>/.well-known/openid-configuration

JWK

If required, the JWK (see RFC7517) for ID Token verification can be obtain under the URL:

<URL of Loginapp>/oauth2/<URL encoded client id>/jwks

UserInfo Endpoint

The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated end-user. Requests to the endpoint require a valid Bearer Token in the Authorization Header as described in RFC6750.

Beware that the client MUST make sure that:

  • The communication with the UserInfo Endpoint utilizes TLS
  • The sub Claim in the UserInfo response MUST exactly match the sub Claim in the ID Token; if they do not match, the UserInfo response values MUST NOT be used (see UserInfo Endpoint, Section 5.3.2)

IAM supports plain application/json responses only. Hence it is not possible to sign and/or encrypt UserInfo responses.

The endpoint is available under the following URL:

<URL of Loginapp>/oauth2/<URL encoded client id>/userinfo