OpenID Connect
SWITCH edu-ID supports OpenID Connect, which can be conveniently used for the following use cases:
Confidential clients:
- Server-based web applications
Public clients:
- Browser-based web applications
- Mobile apps (AppAuth)
- Native applications
The OpenID Connect protocol is provided by the same Shibboleth IdP instance that also supports SAML. This means that many functionalities known from edu-ID with SAML are also available with OpenID Connect. Common features available with OIDC and SAML include
- Usage of the same underlying user accounts and attribute information
- A user encounters the same login user interface
- A user gets the same user consent
- support for 2-step authentication
However, there are also some differences: Some attribute names (claims) are different, and client registration requires OIDC-specific information.
It is planned to continuously extend the functionality of the OIDC service. Please contact the edu-ID Team to make suggestions for new features.
OICD Implementation in Switch edu-ID
- For security reasons, only the authorization code flow (response_type=code) is supported.
- Relying Parties must be explicitly registered using the Resource Registry. More details can be found at Service Registration. Dynamic client registration is not supported.
- The authenticity and legitimacy of clients is ensured for:
- confidential clients, who can keep a secret, by storing either a private key or a shared secret.
- public clients, who can't keep a secret, by checking their ownership of the redirection URI. In addition, public clients MUST use PKCE.
- OIDC IdP Discovery endpoints:
References
- OpenID Connect Core
https://openid.net/specs/openid-connect-core-1_0.html - OpenID Connect Discovery
https://openid.net/specs/openid-connect-discovery-1_0.html - OpenID Connect Dynamic Registration
https://openid.net/specs/openid-connect-registration-1_0.html
for sector_identifier_uri - Proof Key for Code Exchange by OAuth Public Clients (PKCE)
https://tools.ietf.org/html/rfc7636 - OAuth 2.0 for Native Apps (AppAuth)
https://tools.ietf.org/html/bcp212