Code Vault

OpenID Connect Understanding

December 10, 2024

In this blog article, we will cover some basics about OpenID Connect mechanism.

I will start with a short history.

History: Years before organizations wanted to have a unified authentication system for better management and security. Thus, Single sign-on comes into the picture to have a one repository of usernames and passwords. With a lot of improvements in the Service oriented architecture, Open APIs were introduced that paved the way for organizations and individual developers/apps to consume those Open APIs using right authorization. With the Social media explosion, many applications were built or started hooking with Facebook, LinkedIn, and google with right authentication.

Federated Identity helps in solving these login mechanisms across applications.

What is federated identity?

– Is a way of centralizing the authentication and authorization. Linking the identity of a user across several identity management systems.

The three main protocols for federated identity are SAML, OAuth and OpenID

I have some exclusive posts on SAML and OAuth, so keeping the definition in short.

https://myknowtech.com/tag/sso

https://myknowtech.com/tag/oauth

SAML

XML based open standard for exchanging authentication and authorization. Service provider, uses the Identity provider to verify the identity of an end user

OAuth

Open standard used for secured authorization (not for authentication). Mainly used for API authorization across applications.

What is OpenID?

The name suggests it is an Open ID(Identification).

For example: you have your country passport. You are on Italy for a vacation. Here the Italy officials can use your passport (Number) as your verification. Your country is the Identity provider, which provides an ID to you. With that ID, you get access to different countries!

– It is an open standard decentralized authentication mechanism.

– Users will be creating an account on a single OpenID Identity provider. The stored user information can be used to login other application that accepts OpenID authentication.

In day-to-day life, you will see almost all applications use/accept the OpenID login.

Just opened Quora. You see it accepts the Open ID provided by Google and Facebook (Facebook has their own openID version, facebook-connect)

You can use the Google/Facebook information to sign other applications. In this way, you don’t need to create a separate username and password for Quora and remember it all the time!

We have seen a similar thing in my previous post on OAuth.

what is the relation between OAuth and OpenID Connect?

1. OpenID connect is a layer over the OAuth, that uses the user profile information for authentication purposes.

2. OAuth is an authorization mechanism and OpenID connect is an authentication mechanism.

3. In OAuth we saw it supports four grant types – Authorization code, Implicit, resource owner password credentials and client credentials. In OpenID connect, we call it as supported flows. OpenID connect support authorization code and implicit flows.

Note: Pega supports only the authorization code flow for OpenID Connect.

We saw for the authorization code, we will have two tokens – authorization code and access token. But with OpenID Connect, we have an additional main token – id_token.

Most of the providers are providing these tokens in JWT (JSON Web Token) format.

What is JWT token?

It is an open standard for securely transmitting information as a JSON object. It is digitally signed and hence can be trusted.

In regards to OpenID connect, id_token is a JWT token that contains the user information encoded in base64 format.

You can verify the token using the public key from the authentication provider.

In the next article, we will use the site https://jwt.io/ to decode and verify the JWT.

Let’s look at the OpenID authorization code flow.

Please visit the below link to know the basics of authorization code flow explained in terms of OAuth2.0

Step 1: The end user opens the Quora site and trying to login, initiate the request using google sign-in.

Step 2: Quora, the relying app sends the authentication request to Google, the OpenID Identity provider.

Step 3: Google, the Identity provider presents the user with a screen to enter the login credentials and the credentials are submitted to the Identity provider.

Step 4: With regards to authorization code flow, the authorization code is generated and sent to the relying app.

Step 5: With the received authorization code, the relying app Quora sends a token request to the identity provider and receives the tokens (access token and ID token)

Step 6: With the ID token, the relying app sends a request and retrieves the user info (claim data) necessary for authentication.

What is claims in OpenID Connect?

– The user info in OpenID Connect, we call it as claims.

– They are intended to supply the client with the consented user details like email, name, picture, address etc.

Clients can request the claim using the scope parameter. We will see specifying the scope in the coming tutorial.

For the OpenID connect tutorial, I am going to use google as the OpenID Identity provider.

Let’s start with configuring the steps for OpenID connect.

How to configure Google as an OpenID connect Identity provider?

Note: The below steps are somewhat the same as how you get the google map api key to integrate with Pega maps

Step 1: Launch the Google developer console and sign in with your Google account

https://console.developers.google.com/project?pli=1

Step 2: Create a new project for OpenID connect.

Click create project and enter the basic project details.

Step 3: Switch to your newly created project.

Step 4: Configure OAuth the consent screen.

Select external and create.

You can provide the basic details of your application by accessing the Google identity provider.

You also see the scopes email, profile and OpenID are selected for Google APIs.

Once done save your changes.

Step 5: Create credentials

Click on the credentials tab click create credentials and then select OAuth client ID.

Select web application and provide the name for the same.

Then click Create.

Copy your client ID and secret.

We are at the end of the post. We saw some basics about OpenID Connect and the authorization code flow. We also successfully created an application in the Google Developer Console.

In the next article, we will see some cool interesting stuff about the OpenID Connect authentication service in Pega and how we can login Pega using google credentials!!

OpenID Connect Authentication Service in Pega

A technical team dedicated to empowering the Pega ecosystem with in-depth knowledge, guided by Premkumar Ganesan's vision.

Related Articles

Code Vault

OpenID Connect Authentication Service in Pega

December 10, 2024

This is the continuation of the previous blog article on OpenID connect basics. It is mandatory to go through the below article before proceeding. In this tutorial, we are going to create a new OpenID Connect authentication service in Pega using Google as the OpenID Identity provider. Pega supports only the authorization code OpenID flow. […]