Authing DocsDocuments
Concept
Guides
Development Integration
Application integration
Concept
Guides
Development Integration
Application integration
Old Version
Concept
  • What is Authing
  • What is the user pool
  • What is an application
  • What is certification
  • What is federal certification
  • What is authorization
  • Authentication vs authorization
  • What is JWT Token
  • What is ID Token
  • What is Access Token
  • What is Refresh Token
  • Access Token vs Id Token
  • OIDC FAQ
  • Understand the SAML2 protocol

  • Understand OIDC and OAuth2.0 protocol

  • What is multi-factor authentication
  • Account Lifecycle Management
  • Hosted login page vs embeddable login component
  • CIAM and EIAM
  • What is LDAP
  • Principle of Scan Code Login

¶ OpenID Connect

Update Time: 2022-06-22 20:14:04
Edit

OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol, which allows different Application to verify the identity of an end-user based on the authentication performed by an authorization server. User only need to login once to access all the applications.

¶ How OIDC works in Backend

Example on GitHub: oidc-demo (opens new window)

¶ Flow Features

|

Authorization Code FlowImplicit FlowHybrid Flow
Token Form Authorization Endpointnoyes
Token Form Token Endpointyesno
Token won't exposed to Front Endyesno
Client can be authorizedyesno
Can use Refersh Tokenyesno
Communication in one tripnoyes
Server - Server communicationyesno

¶ Response Types by Flow

"response_type" valueFlow
codeAuthorization Code Flow
id_tokenImplicit Flow
id_token tokenImplicit Flow
code id_tokenHybrid Flow
code tokenHybrid Flow
code id_token tokenHybrid Flow

Refer to OIDC Protocol (opens new window).

¶ How to Verify Token

Please refer to:

验证用户身份凭证(token)

¶ Information Stored in socpe

scopeInfomation
addressaddress
emailemail,email_verified
phonephone_number, phone_number_verified
profilebirthdate,family_name,gender,given_name,locale,middle_name,name,nickname,picture,preferred_username,profile,updated_at,website,zoneinfo
offline_accessIf present,return refresh_token
roleuser role list

¶ OIDC Claim Example

ClaimClaim
subbirthdate
namezoneinfo
given_namelocale
family_namephone_number
middle_namephone_number_verified
nicknameaddress
preferred_usernameformatted
profilestreet_address
picturelocality
websiteregion
emailpostal_code
email_verifiedcountry
genderupdated_at

Refer to OIDC Protocol (opens new window)

¶ ID Token and Access Token

When calling Back End, ID Token should be sent with the request. Developer Server should validate ID Token and decrypt ID Token by OIDC Secret Key or Public Key Refer to How to Verify Token.

When requesting resources, Access Token should be sent within the Authorization Header. Eg:

const axios = require("axios");
axios
  .get({
    url: "https://core.authing.cn/api/v2/your/resources",
    headers: {
      Authorization: "Bearer YOUR_OIDC_ACCESS_TOKEN"
    }
  })
  .then(res => {
    // custom codes
  });

¶ Why OIDC Prefer Authorization Code Flow

There are three parties in OIDC Authorization Code Flow: User, OIDC Provider (OP) and Service Provider (SP). Flow between SP, OP and User:

  1. SP send SAML Request and Redirect User to OP login page.
  2. User Login then OP send Authorization Code to SP.
  3. SP receive Authorization Code and exchange access_token with Client ID and Client Secret.
  4. SP use access_token to request SAML Assertion from OP.

Authorization Code Flow avoided access_token or user information exposed at Front End. In OIDC Protocol, after successful login, OP will redirect user browser to callback URL with an Authorization Code. In general, Authorization Code have 10 min lifetime and one time use only. However, access_token have a relatively long lifetime, typically 1 to 2 hours.

Back End exchange access_token from OP by Authorization Code, Client Id and Client Secret. During this step. OP verified those information to ensure the request came from authorized SP. If Authorization Code was hacked, without Client Id and Secret, there is no way to request user information from OP. Even the Client Id and Secret also breached. Authorization Code is one time use only with 10 mins lifetime. It significantly reduces the chance of data breach.

Prev: Access Token vs Id Token Next: SAML2 Summary
  • How OIDC works in Backend
  • Flow Features
  • Response Types by Flow
  • How to Verify Token
  • Information Stored in socpe
  • OIDC Claim Example
  • ID Token and Access Token
  • Why OIDC Prefer Authorization Code Flow

User identity management

Integrated third-party login
Mobile phone number flash check (opens new window)
Universal login form component
Custom authentication process

Enterprise internal management

Single Sign On
Multi-factor Authentication
Authority Management

Developers

Development Document
Framework Integration
Blog (opens new window)
GitHub (opens new window)
Community User Center (opens new window)

Company

400 888 2106
sales@authing.cn
16 / F, Block B, NORTH STAR CENTURY CENTER, Beijing(Total)
room 406, 4th floor, zone B, building 1, No. 200, Tianfu Fifth Street, Chengdu(branch)

Beijing ICP No.19051205-1

© Beijing Steamory Technology Co.