OpenID Connect

SWITCH edu-ID supports OpenID Connect, which can be conveniently used for the following use cases:

  • Server-based web applications
  • Browser-based web applications
  • Mobile apps (AppAuth)
  • Native applications
  • Other use-cases might also be supported

The OpenID Connect protocol is provided by the same Shibboleth IdP instance that also supports SAML. This means that many functionalities known from edu-ID with SAML are also available with OpenID Connect. Common features available with OIDC and SAML include

  • Usage of the same underlying user accounts and attribute information
  • A user encounters the same login user interface
  • A user gets the same user consent
  • support for 2-step authentication

However, there are also some differences: Some attribute names (claims) are different, the classic attribute model is not yet implemented and client registration requires OIDC-specific information.

It is planned to continuously extend the functionality of the OIDC service. Please contact the edu-ID Team to make suggestions for new features.

OICD Implementation in Switch edu-ID

  • For security reasons, only the authorization code flow (response_type=code) is supported.
  • Relying Parties must be explicitly registered using the Resource Registry. More details can be found at Service Registration. Dynamic client registration is not supported.
  • The authenticity and legitimacy of clients is ensured for:
    • confidential clients, who can keep a secret, by storing either a private key or a shared secret.
    • public clients, who can't keep a secret, by checking their ownership of the redirection URI. In addition, public clients MUST use PKCE.
  • The OpenID Providers (OPs) publish their configuration on the respective endpoints listed below. Relying parties are expected to fetch the configuration (and further endpoints like the keyset endpoint) regularly and to not use a static snapshot of it. Otherwise, operation of the relying party could fail when for instance signing keys are rotated:

Support of OAuth 2.0 in Switch edu-ID

The Switch edu-ID OP supports OAuth 2.0, i.e. it can issue access tokens which can be used to either access the userinfo endpoint of the OP, but also to access any other resource server like an API. In order to set an audience in the Access Token (the relying party which should be accessed with the token), that relying party needs to be registered. Registering such resource servers as relying party is not yet possible as self-service. Please contact us if you have such a use case and we will support you.

References