OpenID Connect (OIDC) authentication
OpenID Connect is a simple identity protocol and open standard that is built using the OAuth 2.0 protocol. It enables client applications to rely on authentication that is performed by an OpenID Connect Provider (OP) to verify the identity of a user. OpenID Connect uses OAuth 2.0 for authentication and authorization, and then builds identities that uniquely identify users.
WebSEAL provides a native OpenID Connect relying partner (RP) capability that is able to consume an identity token which has been provided by an OpenID Connect Provider in order to establish an authenticated session.
The WebSEAL implementation does not implement the complete specification for OIDC relying parties. The following parts of the specification are not supported by WebSEAL:
| Section | Description |
|---|---|
| 3.3 | Hybrid Flow |
| 5.3 | Retrieving claims from the UserInfo Endpoint |
| 6 | Request Parameters as JWTs |
| 8.1 | Pairwise Subject Identifier Type |
| 9 | Only the client_secret_basic authentication type will be supported. |
| 10.2 | JWE - Encryption of the JWT |
| 11 | Offline Access |
| 12 | Using refresh tokens for authentication |
| 15.3 | Dynamic registration will not be supported. |
In addition to this, the key identifier (KID) is required to be present in the JSON Web Key Set (JWKS) which is obtained from the OP.
If you need the complete RP capabilities, it is recommended that you instead use the RP that is provided as a part of the Verify Identity Access Federation offering.