OpenID Connect authentication method - SSO
Unlike other authentication methods, it's not possible to configure OpenID Connect authentication method completely with SSO Management UI, but SSO Management API is required. All the steps here are done using SSO Management API.
Reference of OAuth 2.0 and OpenID Connect 1.0 client implementation in SSO Server authentication method OpenIDConnectMethod.
Registration
Process
- Create OpenIDConnectMethod authentication method in SSO Server
- PUT /sso-api/method/oidc.method.1
- Get provider metadata from your OpenID Connect provider
- GET issuer/.well-known/opened-configuration
- If provider metadata is not available then need to manually construct provider metadata with required parameters
- Register provider metadata with SSO Server
- PUT /sso-api/method/oidc.method.1/$attribute/metadata
- Read jwks_uri parameter from provider metadata, and get provider JSON Web Keys
- GET jwks_uri
- Register provider keys with SSO Server
- PUT /sso-api/method/oidc.method.1/$attribute/jwks
- Get registration request from SSO Server
- GET /sso-api/method/oidc.method.1/$attribute/registration
- If provider does not support registration protocol then this step is optional
- Send registration request to OpenID Connect provider, and receive registration response
- If provider does not support registration protocol then need other method to register SSO Server as client, and receive client_id and client_secret
- Register registration response with SSO Server
- PUT /sso-api/method/oidc.method.1/$attribute/registration
- If provider does not support registration protocol then need to manually construct registration response with required parameters
/sso-api/method/{id}/$attribute/metadata
Method | Desription |
---|---|
PUT | Register provider metadata with SSO Server Body is Json formatted Provider Metadata |
GET | Read previously registered provider metadata Response is Json formatted Provider Metadata |
DELETE | Remove registered provider metadata Also removes JWKS and registration response |
/sso-api/method/{id}/$attribute/jwks
Method | Description |
---|---|
PUT | Register provider JSON Web Keys with SSO Server Body is JWKS formatted public keys |
GET | Read previously registered JWKS |
DELETE | Remove registered JWKS |
/sso-api/method/{id}/$attribute/registration
Method | Description |
---|---|
GET | Generate client registration request Or read previously registered registration response Response is Json formatted registration request |
PUT | Register registration response with SSO Server Body is Json formatted registration response |
DELETE | Remove any registration Use DELETE before GET to make sure a new registration request is generated |
Authentication Request
This chapter describes how SSO Server constructs Authorization Request from information in Provider Metadata and Registration Response.
Request parameters
Name | Description |
---|---|
OAuth 2.0 parameters | |
response_type | "code" |
redirect_uri | "https://sso.example.com/uas/return/oidc.method.1/redirect" This value must be registered with OpenID Provider |
scope | Value of registration parameter "scope" "openid" if registration parameter is not defined |
state | Random value |
client_id | Value of registration parameter "client_id" |
OpenID Connect parameters | |
nonce | Random value |
prompt | "login" if force-authn request is enabled "none" if is-passive request is enabled |
max_age | "0" if force-authn request is enabled |
ui_locales | SSO Server user interface locale Value of registration parameter "default_ui_locales" |
login_hint | Pass-thru value from authorization request |
acr_values | Value of method configuration parameter "oidc.acr" Value of registration parameter "default_acr_values" |
Signed request
Registration parameter "request_object_signing_alg" controls if SSO Server creates signed request. If parameter is not defined then request is not signed.
See also Signed and encrypted request
Response
Receives authorization code
Token Request
Request parameters
Name | Description |
---|---|
grant_type | "code" |
code | Value from authorization response |
redirect_uri | "https://sso.example.com/uas/return/oidc.method.1/redirect" |
Client credentials
Registration parameter "token_endpoint_auth_method" controls what client credentials are sent with request. Default value is "client_secret_basic"
See also Client credentials
Token Validation
SSO Server attempts to choose one of the following token validation mechanisms.
ID Token
Enabled if "id_token" is present in Token Response, and if "id_token_signed_response_alg" Client Configuration value is not "none"
UserInfo
Enabled if "userinfo_endpoint" is defined in Provider Metadata..
Introspection
Enabled if "introspection_endpoint" is defined in Provider Metadata.
Claims Transformation
TODO