OpenID Connect concepts

OpenID Connect extends OAuth 2.0 function. The OpenID Connect concepts include the OAuth 2.0 concepts.

OpenID Connect Provider (OP)

OAuth 2.0 Authorization Server that can authenticate the user and providing claims to a Relying Party about the authentication event and the user.

Relying Party (RP)

OAuth 2.0 Client application that requires user authentication and claims from an OpenID Connect Provider.

Claim

Piece of information asserted about an entity that is included in the ID token. An OpenID Connect Provider must document which claims it includes in its ID tokens.

The following claims are required claims about the authentication event:

• aud (Audience): Must contain the client identifier of the RP registered at the issuer.
• iss(Issuer): The issuer identifier of the OP.
• exp (Expiration time): The RP must validate the ID token before this time.
• iat (Issued at): The time at which the ID token was issued.

The following claims are required claims about the user:

• sub (Subject): A locally unique and permanent (never reassigned) identifier of the user at the issuer.

Optional claims about the user can include first_name, last_name, picture, gender, etc.

Scope

A property that is requested by the Relying Party, which can be consented to by the user, that requests certain claims be included in the ID token. In addition to the definition of scope in OAuth, OpenID Connect adds some well-defined scopes. It requires the openid scope to identify a request to an OpenID Connect flow. It also includes the common scopes profile and email, which pertain to a specific set of claims.

Bearer token

In addition to the types of tokens that are listed in the description of Bearer token for OAuth 2.0 support, for OpenID Connect the token can be an ID token.

ID token

JSON Web Token (JWT) that contains claims about the authentication event and the user.

JWTs are Base64 encoded JSON objects with three sections: Header, Claims Set, and JSON Web Signature (JWS). The sections are separated in the JWT by a period ('.'). The Header must at least contain the algorithm that is used to sign the JWT (the alg claim).

The Claims Set includes claims about the authentication event and the user.

The JSON Web Signature (JWS) is used to verify the signing of the JWT. For more information, see RFC7515.

For more information about JWTs, see RFC7519.

Issuer

Entity that issues a set of claims.

Issuer identifier

Verifiable identifier for an issuer. An issuer identifier is a case-sensitive URL that uses the HTTPS scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

Hybrid flow

The OpenID Connect hybrid flow is a request to /authorize, where both an authorization code and either an access token or id_token, or both, are returned. The value of response_type for a hybrid flow is any of the following values.

• code id_token
• code id_token token
• code token

Some tokens are returned by the authorization endpoint, and others are returned by the token endpoint.

Note: Hybrid flow is supported in OpenID Connect but not in OAuth. See http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth.

Metadata

Metadata is the discovery information that the OpenID Provider (OP) exposes. If metadata is configured, the Relying Party (RP) uses it as the source of the /authorize, /token, /jwks, and /userinfo URLs for the RP. See http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata.

Userinfo

The Userinfo endpoint is an OAuth 2.0 protected resource that returns claims about the authenticated user. These claims are normally represented by a JSON object that contains a collection of name and value pairs for each claim. For more information, see http://openid.net/specs/openid-connect-core-1_0.html#UserInfo.