OAuth and OpenID Connect SSO
OAuth is an authorization protocol that allows authenticated resource accesses between servers and services without sharing any logon credentials. OpenID Connect is an identity layer on top of OAuth's framework.
The basic components in OAuth and OpenID Connect's working are:
- Server: This will verify the user credentials and provide the key to log them in. In our case, ADSelfService Plus acts as a server.
- Client application: This is the application to which a user is attempting to log in.
- User: This is the account that is attempting to log in to the client application.
OAuth 2.0
This is how OAuth enables SSO:
- When a user tries to log in to an application, it sends an authorization request to ADSelfService Plus. The user is then redirected to the ADSelfService Plus login page where they enter the login credentials.
- After successful verification, an authorization code is sent to the application from ADSelfService Plus.
- The application sends the authorization code back to ADSelfService Plus to receive the access token and the refresh token. The access token acts as a time-bound key for the user to access the application's protected resources. The refresh token is a permanent key that can be used to request a new access token after the old one expires.
- Now, the application sends a user info request along with the access token as proof of identity to ADSelfService Plus. The response to this request returns the user profile details required to complete the login process.
- After successful verification of user details at the application's end, the user is logged in to the application.
OpenID Connect
OpenID Connect is similar OAuth SSO, but an ID token is used here. The ID token contains the signature of ADSelfService Plus and the user details. There are two scenarios that are possible here. Let's understand the workflow in both these cases.
Application-initiated login
- A user tries to log in to an application. The application sends an authorization request to ADSelfService Plus. The user is redirected to the ADSelfService Plus login page.
- The user enters their logon credentials here. After successful verification, an authorization code is sent to the application from ADSelfService Plus.
- The application sends the authorization code back to ADSelfService Plus to receive the ID token. This token contains the user details required to complete the login process.
- After verifying the signature of ADSelfService Plus in the ID token, the application retrieves the user details from the ID token.
- Finally, after the successful verification of user details in the application's end, the user is logged in to the application.
ADSelfService Plus-initiated login
- A user logs in to ADSelfService Plus successfully, goes to the Applications tab and clicks on the desired application.
- In this case, ADSelfService Plus sends an ID token to the application directly.
- After verifying the signature of ADSelfService Plus in the ID token, the application retrieves the user details from the ID token.
- After the successful verification of user details on the application's end, the user is logged in to the application.
Supported Scopes
Scopes define the level of access that can be requested by the service provider to access a resource. These have to be enabled suitably by the Admin. ADSelfService Plus supports the following scopes:
- openid: Establishes that this is an OpenID Connect request. This is a mandatory scope for OpenID Connect authentication request.
- profile: Requests the user's profile claims (FirstName and LastName).
- email: Requests the user's email attribute.
- offline_access: Requests the refresh token that can be used to receive new access tokens.
Supported applications