OpenID Connect Authentication
Configuring OpenID Connect
Authentication
Configuring ADFS Server for as a
Gateway using OpenID Connect
See also: Server Administration Application Home Page, OpenID Connect Configuration, OAuth 2.0, AD FS Step By Step Setup Guide
OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to
verify the identity of an end user based on the authentication performed by an
authorization server or identity provider (IdP), as well as to obtain basic profile information
about the end user in an interoperable and REST-like manner. OpenID Connect specifies a RESTful
HTTP API, using JSON as a data format.
OAuth 2.0 is a specification that identifies how to issue access tokens. The OAuth
2.0 specification is defined in RFC 6749 (OAuth 2.0
Authorization Framework). The OpenID
Connect specification has added a new value
id_token attribute to the access token response.
To request an ID token the scope for
the authorization request must include the string “openid”. If this is not included then normal OAuth
authorization flow is assumed. See the OAuth 2.0 documentation for more information.
OpenID Connect is a simpler authorization standard than other standards such
as SAML, OpenID 1.0 and Open 2.0. The attraction of OpenID Connect is:
OpenID Connect is an increasingly
common authentication protocol: when an app prompts you to authenticate
using your ADFS or Google+ credentials, the app is probably using OpenID Connect.
Example OpenID Connect Authorization Flow:
OpenID Connect returns an ID token in the form of a JSON Web Token (JWT). The JWT contains identity information known as Claims - these claims can hold user-related information e.g. email, name, address, roles etc.
OpenID Connect ID tokens are digitally signed and should be verified before using them. The digital signature is usually signed using a Public/Private key pair and the public key is commonly published on a remote URL as JSON Web Key Sets (JWK’s).
OpenID Connect authentication is configured using the Server Administration Application User Authentication.
OpenID connect can be used to authenticate users using Single-Sign-On (SSO) against an Active Directory Federation Services (ADFS) server. The ADFS server can be configured to return an ID Token that contains user credentials and roles.
Follow the ADFS step by step setup guide to configure Verj.io Server using OpenID Connect and ADFS.