OpenID Connect

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol in which the identity of the user is also transmitted to client applications. OpenID Connect allows applications to verify the identity of the user based on the authentication that is performed by an OpenID Connect Provider and to obtain basic profile information about the user in an interoperable and REST-like way. The client application retrieves an ID token (in the form of a JWT) from the OpenID Connect Provider that is then used to access a resource on behalf of the user.

For more information about OpenID Connect, see its specification.

To see which CICS® access methods support OpenID Connect, see Which authentication method can I use with which access method?

Why use OpenID Connect?

OpenID Connect 1.0 is widely used as an open identity protocol. Using OpenID Connect with CICS allows you to use the same authentication and identification mechanisms that you use with other platforms and application servers. Configuring the openidConnectClient-1.0 feature with CICS Liberty allows you to authenticate requests by using a JWT without needing to write custom authentication code.

How OpenID Connect works

OAuth 2.0, which underpins OpenID Connect, allows a user to securely share access to information with a third party. It simplifies the user experience by avoiding the need to manage many different credentials for multiple websites. OAuth 2.0 aims to enable one website to request user information from another site, while allowing the user to control access to the information.

OAuth 2.0 provides different types of grant, or method, for a client application to acquire an access token. The grants cover different use cases; see the OAuth 2.0 specification for details. Figure 1 show the steps in a typical OpenID Connect flow for a grant type of authorization code.

Figure 1. OpenID Connect flow
This is a diagram showing the OpenID Connect flow. Each step is described in the following text.
  1. The user makes a request to the client application.
  2. The client application redirects the request to the OpenID Connect Provider (OP) for authorization.
  3. The OP sends an authentication and authorization request to the user.
  4. The user authenticates and authorizes the client application to access the resource.
  5. The OP sends a grant code to the client application.
  6. The client application sends a request to the OP to exchange the grant code for an ID token (in the form of a JWT), an access token, and a refresh token.
  7. The OP sends the ID token (JWT), access token, and refresh token to the client application.
  8. The client application makes the request to the resource server with the JWT, which is used to authenticate the user and to authorize access to the resource.
  9. The response is sent from the resource server to the client application.
  10. The response is sent from the client application to the user.

Support in CICS Liberty for OpenID Connect

CICS Liberty supports OpenID Connect 1.0 and can play a role as a client, OpenID Connect Provider, or resource server. For example, you can use the openidConnectClient-1.0 feature to configure a Liberty JVM server to accept a JWT as an authentication token. For instructions, see Configuring JWT authentication.