Skip to main content

OpenID Connect

LoginRadius enables seamless integration of your OpenID Connect (OIDC) client with its platform, adhering to standard OpenID Connect specifications.

OpenID Connect 1.0 is a simple identity layer built on the OAuth 2.0 protocol. It allows clients to authenticate end-users by leveraging the Authorization Server's verification process. In addition, it provides access to essential profile details, such as the user's name and email. OpenID Connect simplifies user identity management in web and mobile applications by combining authentication and authorization, delivering secure and seamless user experiences across various platforms.

Use Cases for OpenID Connect (OIDC)

OpenID Connect (OIDC) is a versatile identity layer that enables secure and seamless user authentication and authorization across various applications and platforms. Below are some practical scenarios where OIDC is commonly used:

1. Single Sign-On (SSO)

  • Scenario: A company provides multiple web applications to its users and wants them to log in once to access all applications without re-authenticating.
  • How OIDC Helps: OIDC acts as the identity layer on top of OAuth 2.0, enabling users to authenticate with a single set of credentials across different platforms. This enhances user convenience and reduces password fatigue.

2. Accessing User Profiles

  • Scenario: An e-commerce application needs access to a user’s profile details (e.g., name, email, and address) to personalize the shopping experience.
  • How OIDC Helps: With OIDC, the app can request access to user profile details securely using standard scopes like openid, profile, and email.

3. Identity Federation

  • Scenario: A university integrates its internal user database with third-party cloud applications for students and staff, enabling them to use their existing credentials for external services.
  • How OIDC Helps: OIDC facilitates identity federation by allowing the university to act as an identity provider, securely authenticating users and sharing their identity information with authorized third-party services.

4. Mobile and Single-Page Applications (SPAs)

  • Scenario: A fitness tracking app needs a secure way to authenticate users and access their health data across multiple devices.
  • How OIDC Helps: OIDC’s PKCE Flow ensures secure authentication for public clients like mobile apps and SPAs, preventing token interception.

5. Cross-Platform User Experience

  • Scenario: A gaming platform enables users to seamlessly play games on mobile desktops and the web while maintaining their identities across platforms.
  • How OIDC Helps: OIDC ensures consistent user identity across multiple devices and platforms, providing a seamless and unified user experience.

OIDC’s flexibility and adherence to standards make it a valuable tool for enhancing security, simplifying authentication, and improving user experiences in various applications.

Configuration

Follow these steps to configure OpenID Connect settings in the LoginRadius Admin Console:

  1. Navigate to Application>Apps in the Admin Console.
  2. Add a New App:
    • Click Add Apps.
    • Enter a unique App Name.
    • Select OpenID Connect 1.0 under the Protocol.
    • Choose the App Type based on your use case:
      1. Native App
      2. Machine 2 Machine App
      3. Single Page App
      4. Web App
    • Click CREATE to generate a new app configuration.

OpenID Connect Configuration

To begin the setup, fill out the configuration form as outlined below:

  • App Name: The name of your OpenID Connect App.

  • App Type: Choose one of the following:

    • Native App
    • Single Page App
    • Web App

  • Client ID and Client Secret: These are unique identifiers generated for the OIDC app. The Client Secret is visible only once during creation, so ensure you copy it.

  • Grant Type: Choose how the app will obtain the access token:

    • Authorization Code
    • Implicit
    • Password Credentials
    • Refresh Token
    • Device Code (additional fields for Device Code flow):
      • Verification URL
      • Verification Complete URL
      • Device Code Expiration (Seconds)
      • Polling Interval (Seconds)
      • User Code Character Set
      • User Code Mask

  • Token Endpoint Auth Method: Select the client authentication method to authenticate the Authorization Server using the token endpoint.

  • Scopes: Define the access privileges requested for Access Tokens.

  • Login Redirect URL (Optional): Provide whitelisted callback redirect URIs. If left blank, the redirect_uri will be validated against the globally Configured Domains list in Tenant Settings

  • CORS Origin: For Single Page Applications, Native Apps, or scenarios where the Client Secret cannot be kept confidential, whitelist the JavaScript web origin for the OIDC REST API.

  • Token Expiration (Seconds): Set the lifetime of the Access Token. After expiration, re-authentication or token refresh will be required.

  • ID Token Expiration (Seconds): Specify the lifespan of the ID Token.

  • Refresh Token TTL (Seconds): Set the lifetime of the Refresh Token.

  • Force Reauthentication: If enabled, reauthentication is mandatory for the authorization request.

  • Signed User Info: If enabled, user info is returned as a signed JWT; otherwise, it is returned in JSON format.

  • Audiences: Specify the resource server(s) that will accept the OIDC tokens.

  • Data Mapping: Map desired fields from the LoginRadius profile to JWT claims. Use the left column for JWT field names and the right column for corresponding profile keys (dot notation may be needed for nested data).

  • Meta Data: Define static key-value pairs to include in the ID Token payload.

  • Scopes for Management API (Optional): You can configure the scopes allowed for the Management API using the Client ID and Client Secret.

Click SAVE to complete the configuration.

Enabling Connections

Once the OIDC App is configured, you can enable or disable connections for the flow from existing global Social/Custom IDP providers:

  1. Toggle the connection settings to enable or disable as needed.

For more details, visit the LoginRadius documentation or contact support for assistance.

OpenID Connect (OIDC) Flows Overview

OpenID Connect (OIDC) defines three types of authentication flows, each suited for different use cases and application types. Every flow involves interaction with the Authorization Endpoint, where the user is prompted to log in. Below is an overview of these flows:

  1. Authorization Code Flow

    Used for server-side web applications where the Client Secret can be securely stored. The authorization code is appended as a query string to the redirect URI.

  2. Authorization Code Flow with PKCE

    Suitable for public clients such as mobile apps and SPAs where the Client Secret cannot be securely stored. The authorization code is appended as a query string to the redirect URI.

  3. Implicit Flow

    Designed for SPAs where tokens are issued directly to the client without an intermediate authorization code exchange. Tokens are returned in the URI fragment.

  4. Hybrid Flow

    Combines the benefits of Authorization Code and Implicit flows, suitable for scenarios requiring immediate token access and additional security. Tokens are returned in the URI fragment.

  5. Device Code Flow

    Used for devices with limited input capabilities. The user is prompted to enter a code on a secondary device to authenticate.

ParameterRequired/OptionalDescription
client_idRequiredThe unique OIDC Client ID.
redirect_uriRequiredURI where the response is sent. Must be whitelisted in the Admin Console. If specified in the OIDC configuration, it takes precedence.
response_typeRequiredSpecifies the desired processing flow (code, id_token, or combinations for Hybrid Flow).
stateOptionalRecommended for CSRF protection. It helps maintain the state between the request and callback.
scopeRequiredA space-delimited list of requested scopes (e.g., openid, profile, email). Must include openid for OIDC.
nonceOptionalToken validation parameter to prevent replay attacks. Included in the ID Token if provided.
response_modeOptionalSpecifies how the response parameters are returned. Values: query, fragment, or form_post. The default depends on the flow.
ui_localesOptionalPreferred languages for the user interface, e.g., "en-US fr-CA"
displayOptionalHow the login page is displayed. Values: page (default), popup.
promptOptionalSpecifies reauthentication and consent behavior. Values: login, none.
ClaimsOptionalJSON object specifying claims requested in the ID Token or UserInfo response. Example: { "id_token": { "email": null }, "userinfo": { "name": null } }.
id_token_hintOptionalA previously issued ID Token as a hint about the user's session returns login_required if the user is not authenticated.
login_hintOptionalA hint for the Authorization Server about the login identifier (e.g., email or phone).
max_ageOptionalMaximum allowable time (in seconds) since the last user authentication. Forces reauthentication if exceeded.
acr_valuesOptionalSpecifies the authentication context class reference. For example, loginradius:nist:level:1:re-auth forces reauthentication.

Response Modes

  1. Query: Parameters are appended as a query string in the redirect_uri.
    Example: https://example.com?state=abc&code=xyz
  2. Fragment: Parameters are appended as a URI fragment.
    Example: https://example.com\#state=abc&code=xyz
  3. Form Post: Parameters are sent as a POST request to the redirect_uri.
FlowDefault Response Mode
Authorization Code Flowquery
Implicit Flowfragment
Hybrid Flowfragment

You can leverage OIDC for secure and scalable authentication across your applications by selecting the appropriate flow and configuring the parameters accordingly.