OpenID Connect is an interoperable authentication protocol built on top of OAuth 2.0. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users.
1. The user clicks on Login with Auth0 on a web application.
2. The web application (Client Application) sends a GET request to the Identity Provider such as Auth0, WSO2 Identity server, etc. – Request to the authorization server.
The request includes the following.
Parameter
|
Description
|
Value
|
|
scope
|
REQUIRED
|
OpenID Connect requests MUST contain the openid scope value. Additionally, other defined scopes such as profile, email can be specified.
|
openid profile
|
response_type
|
REQUIRED
|
Determines the authorization processing value to be used. For authorization code grant type, the value is, code.
|
code
|
client_id
|
REQUIRED
|
The client application identifier issued by the Authorization server.
|
|
redirect_uri
|
REQUIRED
|
Redirection URI to which the response will be sent. This URI must be pre-registered at the Authorization server/ Identity Provider.
|
|
state
|
RECOMMENDED
|
Opaque value used to maintain state between the request and the callback
|
Ex:
String url ="https://mifraz.auth0.com/authorize"+
"?audience=https://mifraz.auth0.com/api/v2/"+
"&scope=openid profile"+
"&response_type=code"+
"&client_id=DpeGsXwMZuainG5XzDs1tRDmcdnbu86n"+
"&redirect_uri=http://localhost:9999/oauth/access"+
"&state=123";
All the parameter values should be URL encoded. (https://meyerweb.com/eric/tools/dencoder/)
2. Show the login page if the user is not logged in (Authentication) and get the user authorization to provide the user details to the client application (User consent page).
3. If the user is authorized to provide the details, send the authorization code to the client application for the specified callback URL (Redirection URI).
Ex:
http://localhost:9999/oauth/access?state=123&code=8b19c95f860fe61c281cb6d
4. Request the user info by providing the authorization code received (POST Request).
//OAuth Token URL
String auth_url = "https://mifraz.auth0.com/oauth/token";
//Prepare POST Request Body
String POST_PARAMS = "grant_type=authorization_code"+
"&client_id=DpeGsXwMZuainG5XzDs1tRDmcdnbu86n+
"&client_secret=xxxxxxxxxxxxxxxxxxxxxxx"+
"&code=8b19c95f860fe61c281cb6d"+
"&redirect_uri=http://localhost:9999/oauth/access"
The redirect URI should be URL encoded.
5. The response will include the followings
· access_token
· id_token
· token_type
· expires_in
· scope
The id_token contains the requested user information in JWT encoded format which has the header, body and the signature. To further understand what JWT is, Refer This.
Use REST CLIENT plugin (chrome/ firefox) to test the above requests and responses.
https://openid.net/connect/