As promised, here's part two of my series on OpenID Connect. Check out part one for my introduction to OpenID Connect and SAML.
So, the first extension to OAuth 2.0 is the introduction of an ID_Token. With OAuth 2.0, one problem a client app faces is how to determine if an Access token received came from a trusted Authorization Server (AS) and also if it relates to the request it had made to the AS earlier.
To answer these questions, the AS includes an ID_Token with every Access token it issues. The ID_Token contains claims that can be used for authentication events and user identifiers and is also scoped to a particular Client via the aud Claim.
iss: Issuer Identifier for the Issuer of the response
sub: Subject identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client
aud: Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value
exp: Expiration time on or after which the ID Token MUST NOT be accepted for processing
iat: Time at which the JWT was issued
The ID_Token is represented as a JSON Web Token (JWT), which uses JSON Web Signature (JWS) and JSON Web Encryption (JWE) specifications enabling the claims to be digitally signed or MACed and/or encrypted.
Here's an example of an ID_Token in a token response.
Every Client must validate the ID_Token it receives. It MUST validate the iss, aud and exp claims. The rest are optional if presented.
The above example is a result from the Basic Client profile, however in an Implicit Client profile, the ID_Token may also be returned in the front channel with code containing a hash of the token the AS has issued as a detached signature to prevent the associated token from being switched in the user agent.
An example of an ID_Token in the URI:
I'm trying to make this information simple and easy to consume. Let me know what you think by leaving a comment. In my next post, I'll discuss UserInfo Endpoint.
John Phan is a Technical Content Creator and Instructor at Ping Identity.