OpenID Connect Core 1.0

Key Bridge implements the OpenID Connect Core 1.0 specification for user authentication and authorization. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. The OpenID Connect protocol, in abstract, utilizes the following steps.

The Relying Party (RP, Client) sends an authentication (AuthN) request to the OpenID Provider (OP, Server)
The OP authenticates (AuthN) and authorizes (AuthZ) the End-User
The OP responds with an AuthN Token and an AuthZ Access Token (which may be the same)
The RP can send a request with the Access Token to the UserInfo Endpoint
The UserInfo Endpoint returns Claims about the End-User

In the Key Bridge system the UserInfo EndPoint is integrated with the OpenID Provider. This sequence is illustrated below.

    +--------+                                   +--------+
    |        +---------(1) AuthN Request-------->|        |
    |        |  +--------+                       |        |
    |        |  |  User  |<--(2) AuthN & AuthZ-->|        |
    |   RP   |  |(Human) |                       |   OP   |
    |(Client)|  +--------+                       |(Server)|
    |        |<--------(3) AuthN Response--------|        |
    |        +---------(4) UserInfo Request----->|        |
    |        |<--------(5) UserInfo Claims-------|        |
    +--------+                                   +--------+

Definitions

`AuthN`	A common abbreviation for authentication, for verifying a party's identity
`AuthZ`	A common abbreviation for authorization, for granting or denying access to a resource
`RP`	The Relying Party - the (client) party who relies upon OpenId services for AuthN and AuthZ capabilities
`OP`	The Offering Party - the (server) party who offers OpenId services
`Client`	An OpenID Relying Party
`User`	A Human participant

AuthN is a common abbreviation for authentication, for verifying a party's identity
AuthZ is a common abbreviation for authorization, for granting or denying access to a resource
RP is the Relying Party - the (client) party who relies upon OpenId services for AuthN and AuthZ capabilities
OP is the Offering Party - the (server) party who offers OpenId services
Client is an OpenID Relying Party.
User is a Human participant

Authentication using the Implicit Flow

OpenID Connect performs authentication to log in the End-User or to determine that the End-User is already logged in. OpenID Connect returns the result of the Authentication performed by the Server to the Client in a secure manner so that the Client can rely on it. The Authentication result is returned in an ID Token.

All tokens are returned from the Authorization Endpoint
The Access Token is returned directly to the Client
- The Authorization Server does not perform Client Authentication

Implicit Flow Steps (J2EE)

The Implicit Flow follows the following steps, which are slightly modified to work with a J2EE application server. Specifically: The Authorization server authorizes an End User and a second UserScope REST query is added to enable the Client to authorize the End User.

Client prepares an Authentication Request containing the desired request parameters.
- Client sends the request to the Authorization Server.
Authorization Server Authorization the End-User.
Authorization Server sends the End-User back to the Client with an ID Token.
Client validates the ID token .
Client retrieves the End-User's scope assignments.
- Client authorizes End User based on End-User's scope assignments.

References

Implemented final (core) specifications in this application

Implemented draft specifications - now deprecated

Roadmap draft specifications - subject to change

Under review for future inclusion