Skip to main content

What is OpenID Connect?

What is OpenID Connect?


OpenID Connect is a standard designed and developed by the OpenID foundation. It may be find on top of OAuth 2.0 specification ( OAuth 2.0 is an authorization framework for access delegation. We can also call OpenID Connect an identity layer built on top of OAuth 2.0.

There are two main parties, the OpenID provider and the client application are involved in addition to the end user in a typical OpenID Connect login flow.

The OpenID provider manages;

  • user attributes and credentials,
  • and lets the users log in to client applications following the OpenID Connect protocol. 
  • These client applications and OpenID provider can belong to the same organization or different organizations. 
  • We call that client application a third-party client application when a client application comes from an outside organization from where the OpenID provider belongs to.
  • If eBay is the client application and Apple is the OpenID provider when we log in to eBay with our Apple ID. They belong to two different organizations. We can call eBay a third-party client application.

The client applications rely on;

  • An OpenID provider to authenticate users. 
  • We’ll use popular open-source OpenID providers in our samples.
  • How we set up those tools could vary time to time with new releases.
  • We’ll keep the setting up steps of those OpenID providers from our GitHub repository (

OpenID Connect is a standard that defines how a client application communicates with an OpenID provider to identify a user. How exactly the communication between a client application and the OpenID provider takes place is defined in the OpenID Connect Core specification ( developed by the OpenID foundation. There are few more specifications developed by the OpenID foundation to address some other use cases around OpenID Connect. We’ll introduce to those specifications as we delve deep into OpenID Connect.

OpenID Connect vs OAuth 2.0

The OAuth 2.0 Framework provides the detail of overarching patterns for granting authorization. But it does not define how to actually perform authentication. The application using OAuth builds a specific request for permissions to a third party system.It do handles the authentication process and returns an Access Token representing success. The IdP may require additional factors for example SMS or email but that is entirely outside the scope of OAuth. At the last, the contents and structure of that Access Token are undefined by default. This ambiguity guarantees that Identity Providers will build incompatible systems.

Fortunately, OpenID Connect or OIDC brings some sanity to the madness. This is an OAuth extension. It does add and strictly defines an ID Token for returning user information. It may return specific fields that our applications can expect and handle when we log in with our Identity Provider. The OIDC is just a special and simplified case of OAuth, not a replacement. It uses the same terminology and concepts.

Claims Management

We always need to think carefully about claims. A claim is simply the name or value pair embedded within our Access and ID Tokens. For example, we might have a user_id or email claim so downstream applications can use them to create profiles or make decisions. The OAuth main specification doesn’t introduce the concept of claims or even include the word claim. This is helpful because we can define whenever we need.

Use of OpenID Connect safegaurd us quite a bit. It explains a simple set of claims for user details such as name, address, and similar. The user knows what information they are sharing and applications know how to use it, if we only use those and limit access according to the proper scopes.

We add extra claims alternatively as the routine desire is to have a user-unique identifier. We use an obfuscated primary key that has no meaning outside our system, if we’re thoughtful about it. That could be a customer identifier if we’re not careful, employee number, or even a Social Security Number.



Popular posts from this blog

What is Internet of Things (IoT)?

 What is Internet of Things (IoT)?    The internet of Things, or IoT, refers to the billions of physical devices  round the  world that are now connected to  the web  , collecting, sharing and analyses  of knowledge  . It presents and provides the explanation of the network of physical things which is embedded with software , sensors,  and other technologies for the benefit of connecting and exchanging data with other devices and systems on the internet   . Due to the cheap processors and wireless networks, it's possible to  means  anything, from a pill to an aero plane to a self-driving car into  an area  of the IoT. Overview IoT will control the Fourth  technological revolution  . The Fourth  technological revolution  is changing the very software-defined automation allows manufacturers to link all stages of  the worth  chain, rapidly adapt to changing markets , and make highly personalized products on a mass scale. The opportunities provided by this revolution are authenticated

What is Rust Borrowing?

What is Rust Borrowing? Borrowing We call having references as function parameters borrowing. As in real world , if an individual owns something, we 'll borrow it from them . Whenever we’re done, we 've got to offer it back. Referencing  The reference is that the act of consulting somebody or something so as to urge information We would  declare reference in terms of Rust programing as if we are taking a replica of it without damaging or taking its ownership. ‘&’ symbol is employed to pass the reference Have a look that  how ‘&’ symbol is employed in code. fn main() { let s1 = String::from("hello"); let len = calculate_length(&s1); println!("The length of {} is {}.", s1, len); } fn calculate_length(s: &String) -> usize { s.len()} Mutable References The actual concept of mutable reference is same as we use mutable variable When  we  need to  modify  mutable reference is employed once   the worth we make regard to.

Kubernetes Readiness Probes

 Kubernetes Readiness Probes Description We understand that liveness probes and the way they assist keep our apps healthy by ensuring unhealthy containers are restarted automatically. Same like liveness probes, Kubernetes permit us to also define a readiness looked for our pod. The readiness probe is deployed periodically and examines whether the precise pod should receive client requests or not. Whenever a container’s readiness probe returns back success, it’s signaling that the container is ready to simply accept requests. This notion of being prepared is clearly something that’s specific to every container. Almost as liveness probe Kubernetes sends requests to container and supported the result either successful or unsuccessful response it decides container is prepared to require traffic or still preparing for that. The liveness probes not like, if a container fails the readiness check, it won’t be killed or restarted.   This is a very good practice to