OpenID Connect overview

OpenID Connect is a simple identity protocol and open standard that is built using the OAuth 2.0 protocol. It enables client applications to rely on authentication that is performed by an OpenID Connect Provider to verify the identity of a user.

OpenID Connect uses OAuth 2.0 for authentication and authorization, and then builds identities that uniquely identify users. Clients can also obtain basic profile information about a user in an interoperable and REST-like manner from OpenID Connect Providers.

Beginning with 8.5.5.3, WebSphere® Application Server supports OpenID Connect 1.0 and plays a role as a Client or Relying Party in web single sign-on. Read theOpenID Connect Basic Client Implementer's Guide 1.0 for more information.

Avoid trouble: If you are running in a cluster environment, the OpenID Connect Relying Party (RP) Trust Association Interceptor (TAI) requires session affinity.

Terminology

Access token: A credential that is used to access protected resources. An access token is a string, and represents an authorization that is issued to the client.
Authorization Endpoint: A resource on an OpenID Provider that accepts an authorization request from a client to perform authentication and authorization on a user. The authorization endpoint returns an authorization grant (or code) to the client in the Basic Client Profile. In the Implicit Client Profile, the authorization endpoint returns an ID token and access token to the client.
Authorization grant: A credential that represents a user's authorization to access resources. This credential is used by a client to obtain an access token.
Claim: Information that is asserted about an entity. Examples of a claim include a phone number, given name, or surname.
ID token: A JSON Web Token (JWT) that contains claims about the authenticated user.
Introspection Endpoint: A resource on an OpenID Provider that enables a client that holds an access token to retrieve information. The information is used to create the access token (such as the user name, granted scopes, or client ID).
OpenID Provider (OP): An OAuth 2.0 authorization server that can provide claims to a client, or Relying Party (RP).
Refresh Token: A token that is issued to the client by the OP. The token is used to obtain a new access token when the current access token expires or to obtain more access tokens.
Relying Party (RP): Either a WebSphere Application Server configured as an OpenID Connect Client, or a client application that requires claims from an OpenID Provider (OP).
Scope: Privilege or permission that is allowed to access resources of a third party.
Token Endpoint: A resource on an OpenID Provider that accepts an authorization grant (or code) from a client in exchange for an access token, ID token, and refresh token.

WebSphere Application Server as an OpenID Connect Relying party (client)

WebSphere Application Server can be configured to function as an OpenID Connect Relying Party, which enables WebSphere Application Server to rely on another OpenID Connect server that acts as an OP for user authentication and authorization.

With an OpenID Connect Basic Client, all token exchanges are handled by using the token endpoint of the OpenID Connect Provider (OP). First, the client submits an authorization request to the authorization endpoint of the OP. When authentication and authorization with the OP is successful, the client receives an authorization grant (or code) from the OP. This authorization code can then be sent in a request to the token endpoint of the OP. The client receives an ID token, an access token, and a refresh token in the response from the token endpoint. The client then validates the ID token and retrieves the subject identifier of the user. This profile flow is intended for clients that can securely maintain a client secret between themselves and the OP, and also enables clients to obtain a refresh token.

Logout

The OpenID Connect Relying Party supports logout through the HttpServletRequest.logout() Java™ method. When this method is called from a URL that is protected by the OpenID Connect TAI, it clears the LtpaToken2 cookie and the OpenID Connect cookies. You can also configure the OIDC TAI to revoke any access tokens when this method is called.

Important: Logout through the deprecated revokeSSOCookies() method and through the ibm_security_logout servlet is not supported for the OpenID Connect Relying Party.

For information about how to enable your application to perform a logout when it is protected by the OpenID Connect TAI, see Enabling programmatic logout for an Open Id Connect Relying Party.

For information about how to configure a WebSphere Application Server as an OpenID Connect Client, read Configuring an OpenID Connect Relying Party.