Key Bridge implements the OpenID Connect Core 1.0 specification for user authentication and authorization. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. The OpenID Connect protocol, in abstract, utilizes the following steps.
In the Key Bridge system the UserInfo EndPoint is integrated with the OpenID Provider. This sequence is illustrated below.
+--------+ +--------+ | +---------(1) AuthN Request-------->| | | | +--------+ | | | | | User |<--(2) AuthN & AuthZ-->| | | RP | |(Human) | | OP | |(Client)| +--------+ |(Server)| | |<--------(3) AuthN Response--------| | | +---------(4) UserInfo Request----->| | | |<--------(5) UserInfo Claims-------| | +--------+ +--------+
Definitions
AuthN | A common abbreviation for authentication, for verifying a party's identity |
AuthZ | A common abbreviation for authorization, for granting or denying access to a resource |
RP | The Relying Party - the (client) party who relies upon OpenId services for AuthN and AuthZ capabilities |
OP | The Offering Party - the (server) party who offers OpenId services |
Client | An OpenID Relying Party |
User | A Human participant |
AuthN
is a common abbreviation for authentication, for verifying a party's identityAuthZ
is a common abbreviation for authorization, for granting or denying access to a resourceRP
is the Relying Party - the (client) party who relies upon OpenId services for AuthN and AuthZ capabilitiesOP
is the Offering Party - the (server) party who offers OpenId servicesClient
is an OpenID Relying Party.User
is a Human participantAuthentication using the Implicit Flow
OpenID Connect performs authentication to log in the End-User or to determine that the End-User is already logged in. OpenID Connect returns the result of the Authentication performed by the Server to the Client in a secure manner so that the Client can rely on it. The Authentication result is returned in an ID Token.
Implicit Flow Steps (J2EE)
The Implicit Flow follows the following steps, which are slightly modified to work with a J2EE application server. Specifically: The Authorization server authorizes an End User and a second UserScope REST query is added to enable the Client to authorize the End User.
References
Implemented final (core) specifications in this application
Implemented draft specifications - now deprecated
Roadmap draft specifications - subject to change
Under review for future inclusion