Security/Guidelines/OpenID Connect: Difference between revisions

Jump to navigation Jump to search

Security/Guidelines/OpenID Connect (view source)

Revision as of 17:52, 14 November 2016

47 bytes added ,  14 November 2016
→‎OIDC in a nutshell
Line 84: Line 84:
[[File:Screenshot_20161023_213226.png|700px]]
[[File:Screenshot_20161023_213226.png|700px]]


OpenID Connect (OIDC) is a protocol that allow web applications (relying parties, or RP) to authenticate users with an external server called the OpenID Connect Provider (OP).
OpenID Connect (OIDC) is a protocol that allow web applications (also called relying parties, or RP) to authenticate users with an external server called the OpenID Connect Provider (OP).
This server typically gets user information from an identity provider (IdP), which is a database of user credentials and attribute information.
This server typically gets user information from an identity provider (IdP), which is a database of user credentials and attribute information.


The communication with the OpenID Connect Provider (OP) is done using tokens. It provides an ID token to the web application (RP) that contains a JSON document, which informs the web application (RP) about how, when the user has authenticated, various attributes, and for how long the user session can be trusted. This token can be re-newed as often as necessary by the web application (RP) to ensure that the user and it's attributes are both valid and up to date.
The communication with the OpenID Connect Provider (OP) is done using tokens.
An ID token is provided to the web application (RP) by the Open ID Connect Provider (OP). It contains a JSON document which informs the web application (RP) about how, when the user has authenticated, various attributes, and for how long the user session can be trusted. This token can be re-newed as often as necessary by the web application (RP) to ensure that the user and it's attributes are both valid and up to date.


Other tokens can be used, though these do not pertain directly to authentication. These are also often called OAuth2 tokens. This is because OIDC is based on OAuth2 and thus also provides full OAuth2 support. The OAuth2 tokens (Access Token and Refresh Tokens) enable their bearer to access information from other websites and resources (including additional user attributes that may not be passed by the ID token) - but are not required to perform user authentication.
Other tokens can be used, though these do not pertain directly to authentication. These are also often called OAuth2 tokens. This is because OIDC is based on OAuth2 and thus also provides full OAuth2 support. The OAuth2 tokens (Access Token and Refresh Tokens) enable their bearer to access information from other websites and resources (including additional user attributes that may not be passed by the ID token) - but are not required to perform user authentication.
Gdestuynder
Confirmed users
502

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1154596"

Navigation menu