OpenID Connect Authentication Flow

webMethods Integration Server can use OpenID Connect to authenticate requests for resources on Integration Server. Integration Server supports the OpenID Authorization Code Flow.

A typical OpenID Connect Authorization Code Flow where Integration Server acts as the relying party proceeds according to the following workflow:

  1. The end user sends a request to Integration Server on a port that is configured to use an identity provider for authentication.
  2. Integration Server redirects the end user to the authorization endpoint of the OpenID Provider. Integration Server is the relying party in the OpenID Connect flow.
  3. The OpenID Provider authenticates the end user. If authentication succeeds, the OpenID Provider generates an authorization code. If authentication fails, the process stops.
    Note: The end user must have an account with the OpenID Provider.
  4. The OpenID Provider redirects the end user to the redirection endpoint on Integration Server. The OpenID Provider passes the authorization code to the redirection endpoint.
  5. Integration Server uses the authorization code to request an ID token from the OpenID Provider.
  6. The OpenID Provider returns an ID token and an access token. The ID token contains claims about the authentication of an end user and possibly claims about the end user. Integration Server verifies the signature of the ID token.
  7. Integration Server uses the access token to request a UserInfo token from the OpenID Provider.

    Integration Server requests a UserInfo token only when you identify a UserInfo service in the OpenID Provider Configuration Document or you create an OpenID Provider user that has one or more UserInfo claims.

  8. The OpenID Provider returns a UserInfo token.

    If Integration Server registered a UserInfo service for the OpenID Provider, the redirection endpoint on Integration Server invokes the service and passes the UserInfo token to the input pipeline of the service. If the UserInfo service is configured to execute asynchronously, Integration Server uses a separate thread to invoke the service. If the UserInfo service is configured to execute synchronously, Integration Server executes the service with the same thread that handles the OpenID Authorization Code Flow. Executing the UserInfo service synchronously allows the UserInfo service results to reject the request from the end user.

  9. Integration Server uses the claims in the ID token and the UserInfo token to map the token to an OpenID Provider user. An OpenID Provider user is defined on Integration Server and associates a set of claims to a username. You assign the OpenID Provider user to user groups, which determines the access that the user has for Integration Server. Integration Server associates the selected OpenID Provider user with the current session.
  10. Integration Server redirects the user to the original request, providing the user with a session cookie.
  11. The user's browser follows the redirection to the original request and includes the session cookie in the request header. Integration Server processes the request.