OpenID Connect Core 1.0

Key Bridge implements the OpenID Connect Core 1.0 specification for user authentication and authorization. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. The OpenID Connect protocol, in abstract, utilizes the following steps.

1. The Relying Party (RP, Client) sends an authentication (AuthN) request to the OpenID Provider (OP, Server)
2. The OP authenticates (AuthN) and authorizes (AuthZ) the End-User
3. The OP responds with an AuthN Token and an AuthZ Access Token (which may be the same)
4. The RP can send a request with the Access Token to the UserInfo Endpoint
5. The UserInfo Endpoint returns Claims about the End-User

In the Key Bridge system the UserInfo EndPoint is integrated with the OpenID Provider. This sequence is illustrated below.

    +--------+                                   +--------+
    |       -+---------(1) AuthN Request--------=|        |
    |        |  +--------+                       |        |
    |        |  |  End-  |=--(2) AuthN & AuthZ--=|        |
    |        |  |  User  |                       |        |
    |   RP   |  |(Human) |                       |   OP   |
    |(Client)|  +--------+                       |(Server)|
    |        |=--------(3) AuthN Response--------|        |
    |       -+---------(4) UserInfo Request-----=|        |
    |        |=--------(5) UserInfo Response-----|        |
    +--------+                                   +--------+

Definitions

• AuthN is a common abbreviation for authentication, for verifying a party's identity
• AuthZ is a common abbreviation for authorization, for granting or denying access to a resource
• RP is the Relying Party - the (client) party who relies upon OpenId services for AuthN and AuthZ capabilities
• OP is the Offering Party - the (server) party who offers OpenId services
• Client is an OpenID Relying Party.
• End-User id a Human participant

Authentication using the Implicit Flow

OpenID Connect performs authentication to log in the End-User or to determine that the End-User is already logged in. OpenID Connect returns the result of the Authentication performed by the Server to the Client in a secure manner so that the Client can rely on it. The Authentication result is returned in an ID Token.

• All tokens are returned from the Authorization Endpoint
• The Access Token is returned directly to the Client
  • The Authorization Server does not perform Client Authentication

Implicit Flow Steps (J2EE)

The Implicit Flow follows the following steps, which are slightly modified to work with a J2EE application server. Specifically: The Authorization server authorizes an End User and a second UserScope REST query is added to enable the Client to authorize the End User.

• Client prepares an Authentication Request containing the desired request parameters.
  • Client sends the request to the Authorization Server.
• Authorization Server Authorization the End-User.
• Authorization Server sends the End-User back to the Client with an ID Token.
• Client validates the ID token .
• Client retrieves the End-User's scope assignments.
  • Client authorizes End User based on End-User's scope assignments.

References

Implemented final (core) specifications in this application

• RFC 6749: The OAuth 2.0 Authorization Framework
• RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage
• RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol
• RFC 7592: OAuth 2.0 Dynamic Client Registration Management Protocol
• RFC 6719: OAuth 2.0 Threat Model and Security Considerations
• OpenID Connect Core 1.0
• OpenID Connect Dynamic Client Registration 1.0
• User-Managed Access (UMA) Profile of OAuth 2.0
• Cross-Origin Resource Sharing (CORS)
• OAuth 2.0 Multiple Response Type Encoding Practices

Implemented draft specifications - now deprecated

• RFC draft: OAuth 2.0 Message Authentication Code (MAC) Tokens
• OpenID Connect Session Management 1.0 - draft 28

Roadmap draft specifications - subject to change

• Financial-grade API - Part 1: Read-Only API Security Profile
• Financial-grade API - Part 2: Read and Write API Security Profile
• Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
• Financial-grade API: Client Initiated Backchannel Authentication Profile
• OpenID Connect MODRNA Authentication Profile 1.0

Under review for future inclusion

• OAuth 2.0 Form Post Response Mode
• OpenID Connect Discovery 1.0
• OpenID Connect for Identity Assurance 1.0