Skip to main content

'OpenID Connect' Client App Creation on Auth0

If we are going to use OIDC (OpenID Connect), we have need to know the definitions of OAuth and OIDC. Because OAuth is for authorization and OIDC is on top of OAuth to provide authentication. So, OIDC is providing authorization and authentication.  

 What is OAuth?
The OAuth 2.0 authorization framework enables third-party applications to obtain limited access to a web service.
[To see more on OAuth itwithcs.blogspot.com: Click here]

 What is OpenID Connect?
OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.It uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications.

 What are Identity Servers?
Identity server are the core part of any identity and access control infrastructure. It is the central database that stores user credentials. The identity servers are the server that all IT resources check with authenticate user access..
Example: IdentityServer [http://identityserver.io/], Auth0 [https://auth0.com/], WSO2 Identity & access management [https://wso2.com/], etc.

 Note: Here I have used Auth0 universal identity platform to build an OIDC application. [More user friendly because of the direct functionality]

 How the OIDC works?
For example, if you chose to sign in to Auth0 using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize Auth0 to access your information, Google will send back to Auth0 information about the user and the authentication performed. This information is returned in a JSON Web Token (JWT). You'll receive an Access Token and, if requested, an ID Token.
+--------+                                   +--------+
|        |                                   |        |
|        |---------(1) AuthN Request-------->|        |
|        |                                   |        |
|        |  +--------+                       |        |
|        |  |        |                       |        |
|        |  |  End-  |<--(2) AuthN & AuthZ-->|        |
|        |  |  User  |                       |        |
|   RP   |  |        |                       |   OP   |
|        |  +--------+                       |        |
|        |                                   |        |
|        |<--------(3) AuthN Response--------|        |
|        |                                   |        |
|        |---------(4) UserInfo Request----->|        |
|        |                                   |        |
|        |<--------(5) UserInfo Response-----|        |
|        |                                   |        |
+--------+                                   +--------+
  1. The RP (Client) sends a request to the OpenID Provider (OP)
  2. The OP authenticates the End-User and obtains authorization.
  3. The OP responds with an ID Token and usually an Access Token.
  4. The RP can send a request with the Access Token to the UserInfo Endpoint.
  5. The UserInfo Endpoint returns Claims about the End-User.

 OIDC JWT (JSON Web Token)
Access Token
Access Tokens are credentials that can be used by an application to access an API. Access Tokens can be an opaque string, JWT, or non-JWT token. Its purpose is to inform the API that the bearer of this token has been granted delegated access to the API and request specific actions (as specified by the scopes that have been granted).
ID Token
The ID Token is a JSON Web Token (JWT) that contains identity data. It is consumed by the application and used to get user information like the user's name, email, and so forth, typically used for UI display. ID Tokens conforms to an industry standard (IETF RFC 7519) and contain three parts: a header, a body and a signature.

 Claims
JWT Tokens contain claims, which are statements (such as name or email address) about an entity (typically, the user) and additional metadata.
Note:The OpenID Connect specification defines a set of standard claims. The set of standard claims include name, email, gender, birth date, and so on. However, if you want to capture information about a user and there currently isn't a standard claim that best reflects this piece of information, you can create custom claims and add them to your tokens.

 Let's Create a Regular Web Application in Auth0

  1. Create a user account in Auth0 and create your own Tenant [eg: benjamin.auth0.com]
  2. Provide the information about the created Tenant
  3. Navigate to the dashboard and click on the Applications menu option on the left. Clicking the + Create Application button

  4. Setting:
    1. Application Type: Regular Web Application
    2. Token Endpoint Authentication Method: POST
    3. Allowed Callback URL: http://localhost:9090/oidcapp/callback [Your own application callback URL]
    4. JWT Expiration (seconds): 360 - 5min
    5. You can get the ClientID and Client Secret of the created application 
    6. Make sure about the OAuth endpoints [Advance --> Endpoints].
    7. Set the algorithm used for signing your JSON Web Tokens. 
    8. Create a new user who can be able to login to the created application and this will be the sharing information.

  5.  After create the application and follow the above mentioned settings you can able to see new web API created with the application name. [Dashboard --> API]


My next blog will continue with the sample application 'How the real world OIDC flow is working on top of OAuth. 

Comments

Post a Comment

Popular posts from this blog

Bandit Wargame – Documentation

Basically wargames are providing the basic knowledge on the security concepts. It is a game that contain many tricks to break the borders to gain the access especially passwords (commands are mostly on the Linux CLI). You can find many wargames through the Internet and they are very interest and fun full too. “Bandit” is also a wargame which is for the beginners. You all can access that through the link given bellow. And this article is an document for this game. I have used Ubuntu as the operating system. Bandit – Clickhere . Level 0: Case study → Clickhere Here we have need to connect the host through the SSH (secure socket shell) server. The informations are provided as follows. Host name: bandit.labs.overthewire.org Port No: 2220 User name: bandit0 Password: bandti0 There are many ways to connect through the SSH server. Method 1: Download and run the “PuTTY SSH client”. ( https://the.earth.li/~...
Post a Comment
Read more

How OIDC run on top of OAuth - Demo by a maven web application

As I said in the previous blog about OIDC, OIDC is running on top of OAuth in-order to provide authentication and authorization. When it comes to real scenario, we have need to clearly understand the flows between authorization server, and resource server. For OAuth it needs token introspection endpoint in-order to validate the token. But, in OIDC it doesn't need to have this introspection endpoint because OIDC response token (JWT) it contains the idtoken which contains information about the token to validate by the resource server. OIDC is running as authorization grant type is pretty much safe way for the web applications. Let's see how a real world application using this OIDC on top of OAuth. Note: I have created an sample application to provide the graphical interface for this explanation. When you are trying to login a online web application account you may see another login options also available. For example, login with Google, login with Facebook,etc. Those ...
Post a Comment
Read more

Introduction to OAuth

What is OAuth? OAuth is a protocol that allows distinct parties to share information and resources in a secure and reliable manner. OAuth needs to consider the 2 concept to provide the informations in secure and reliable manner. They are authentication and authorization. Authentication -> Validating the person/system who need the information Authorization -> After authentication what action can be performed by the person/system. By maintaining this 2 concept OAuth is providing federated identity and delegated identity. Federated identity -> User can use his/her one application account to login another application. [Example: If a user having Facebook account then he can login Instagram with the same login as Facebook] Delegated identity -> One service can access another service resources. [Example: When creating a Facebook account with eMail address that will suggest the contacts in the eMail to add as friends] Without OAuth With OAuth User ...
Post a Comment
Read more