OpenIDConnect with PhenixID Authentication Services - overview
This document describes how PhenixID Authentication Services can be used in OpenIDConnect scenarios. For more information about the OpenIDConnect standard, please visit http://openid.net/connect/
Role
PhenixID Authentication Services can be used as an OpenID Connect Provider, ie handling the authorization of users and issuing tokens to the relying parties on behalf of the users.
Supported flows
PhenixID Authentication Services supports the Authorization Code flow.
Technical flow
The picture below illustrates the data flow in OpenIDConnect Authorization Code flow.
The relying party (client) can be a web application, a native mobile app, a rich client application or any system/platform/device/service.
The user agent can be the system web browser or a web browser component built inside the relying party client. PhenixID recommends to use the system web browser. Using the system web browser will make Single-Sign-On (SSO) feasible between apps and systems.
The OpenID Connect Provider (PAS) provides an authorization endpoint URL for user authentication. It also provides a token endpoint URL for token issuing.
1. User opens relying party client (such as a mobile app) and clicks login. User agent will redirect to the authorization endpoint with client specific data added to the query string. https://<openid_connect_provider_PAS_authorization_endpoint_url>?client_id=myMobileApp&redirect_uri=myMobileApp://
2. PAS will verify the client_id and redirect_uri against configured relying party trust configuration. PAS will prompt for authentication.
3. User authenticates. Depending on the authentication method, several calls from the user agent to PAS might occur.
4. If authentication is successful, PAS will generate an authorization code. PAS will return URL to user agent (<redirect_uri>?code=<authorization_code>. Example: myMobileApp://?code=123456
5. User agent will launch URL from 4. This will trigger the relying party client. The relying party client will receive the code from the URL.
6. The relying party backend will call the token endpoint. https://<openid_connect_provider_PAS_token_endpoint_url>?code=<code>&redirect_uri=<redirect_uri>&client_id=myMobileApp&client_secret=XXXX
PAS will return a signed OpenIDConnect JWT IDToken. This token contains information about the end user that performed the successful authentication. The relying party will validate the JWT token (signature and other attributes). If validation is ok, the user is granted access to the relying party.