Coding adventures with Happy results

Understanding OpenID Connect protocol

Sunday, January 13, 2019 | 2:59:45 PM | OpenID

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol ,focusing on the identity layer of the user. In this post, we take a look at Why we need OpenID Connect and how to use it.

Why we need OpenID Connect?

As we describe in the article "understanding-oauth2-jwt-tokens" oAuth is an authorization framework. Meaning that when someone requests an OAuth scope, the main purpose is to gain a token so he can access back-end services.
But what if just want to know who the user is in your application?
If you are creating a web application, in many cases you will need to identify your user in order to make the user experience more “personal” like displaying a welcome message after login like “Hello James” or customizing the theme based on users preference. Before OpenID Connect this could be done by requesting a token and accessing an API endpoint in order the client application to have access to user’s information. Many providers have implemented custom endpoints in order to serve users claims like username, phone, email etc.

As we describe in the article "understanding-oauth2-jwt-tokens" , using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of-possession). Meaning that, in many cases, a client was requesting a token in order to ask a backend service for the user's claims (for example email) and automatically the client was gaining access to users all personal details. At this point, the API wasn't able to recognize the purpose of the issued token, and the client had access to more personal information than just the user has given consent.

The custom code per identity provider was another issue. Developers had to write code to make request's and handle responses per identity provider.

OpenID Connect has brought us the solution to those problems by extending the OAuth 2.0 Authorization framework focusing on the user's identity.

OpenId Connet

OpenId Connect is focusing on the identity layer of the user, and as a result, it extends the "User Interactive Flows" which are the Authorization_Code and Implicit Flow.

OpenId Connet Standard claims & Scopes

Similar to OAuth 2, when you requesting an access token, we define in our token request the scope which basically is the area of access which we are requesting in the OAuth2 protected API. In the OpenId Connect, the identity scopes are defining the group of claims that the client will have access. OpenID Connect specifies a set of standard claims

openid : will request the sub claim, which uniquely identifies the user

profile: will request the claims representing basic profile information. These are name, family_name, given_name, middle_name, nickname, picture and updated_at.

email: will request the email and email_verified claims.


We can  retrieve identity information about a user can be done using UserInfo Endpoint


OpenId Connet UserInfo Endpoint

The UserInfo endpoint is an OAuth 2.0 protected resource that responses information about the user. In order to get a response, the client must have a valid access token and at least the openid scope is required when you are requesting a token in TokenEndpoint. Depending on your access token the content response can differ.


Until next time,Happy Coding!