OpenID Connect (OIDC) - Overview
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 authorization protocol. It facilitates third-party apps(clients) in verifying user's identity as well as accessing their basic profile information.
Now, let's familiarize ourselves with few terminologies before understanding how OIDC works:
OpenID Provider (OP)
Claims
ID token
Access token
Refresh token
Authorization Endpoint
An OAuth 2.0 authorization component that helps in authenticating the user and providing user information to the client requesting these information.
The client application that requests user authentication and user information from the OpenID provider.
Prerequisites for clients:
Clients(Relying Party) should have registered themselves with the Resource Provider (OpenID Provider) and gotten their Client ID and Client Secret from OpenID Provider.
Basic OIDC flow:
Relying Party requests the Authorization Endpoint of OpenID Provider to authenticate the user and get user's authorization to access certain user information. After authenticating the user and obtaining authorization, the authorization endpoint sends an ID token and access token to the Relying Party.
The method used for this token exchange varies based on the Relying Party (RP) type and the authentication flow chosen. We will explore about the RP types and the recommended authentication flows for each in the later sections of this article.
RP requests user information (claims) to the UserInfo Endpoint of the OP with the access token. OP sends the consented claims to the RP.
Relying Party types and recommended authentication flows:
Regular Web Application (MPA) and Authorization Code flow:
These applications run on a server and send new page requests to the server for each action. These applications can store client secrets securely; hence, they are also referred to as Confidential Clients. The optimal authentication flow recommended for MPAs is Authorization Code Flow.
In this flow, RP(client) requests the Authorization Endpoint of OP to authenticate the user and get authorization to access certain user information. After authenticating the user and obtaining authorization, the authorization endpoint sends Authorization Code to the client.The client then exchanges this authorization code for ID token and access token (if requested, refresh token as well) at the token endpoint of OP. The client retrieves required user information(claims) from the ID token.
Single-Page Application (SPA) and Implicit flow
SPAs are modern web applications that loads the required section based on your action. These applications typically run on the client side after initially retrieving all the necessary resources from the server. They are also referred to as public clients, and they can't store client secrets securely as their entire source is on a browser. The suggested authentication flow for SPAs is the Implicit Code Flow.
In this flow, client(RP) requests Authorization Endpoint of OP to authenticate the user and get authorization to access certain user information. After authenticating the user and obtaining authorization, the authorization endpoint sends the ID token directly to the client. If requested, they also send access and refresh tokens. The client retrieves necessary user information from the ID token. Token endpoint is not used in this flow.
Native Applications and PKCE flow
Native applications are the ones installed directly on the specific device. They are also known as public clients. They can't store their secrets securely, as they are directly installed onto a device, and the applications can be decompiled by anyone to access the client secrets. The flow recommended for native apps is Authorization Code Flow with Proof Key for Code Exchange (PKCE).
In this flow, the client(RP) generates a Code Verifier(a random string) and a Code Challenge (hashed version of the code verifier using any hashing method). Along with the authorization request sent to the Authorization endpoint of OP, the client also sends the code verifier. After authenticating the user and obtaining authorization, the authorization endpoint sends the Authorization Code to the client. At the token endpoint of OP, the client provides this authorization code along with the Code Challenge and the hashing method used to hash the code verifier. The token endpoint then dehashes the code challenge using the mentioned hashing method and checks whether the answer and the code verifier matches, to verify that it received the authorization code from the same client who sent authorization request.The token endpoint then provides the ID token and access token (if requested, refresh token as well). The client gets required user information from the ID token.
Access your files securely from anywhere
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho Writer?
Create. Review. Publish.
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Add non-directory OIDC app
The Free plan allows you to add only up to 3 non-Zoho apps. In Zoho One, you can configure OpenID Connect (OIDC) for any third-party apps. The way OIDC performs vary based on the type of application you configure ZO with. Learn how OIDC works in Zoho ...Adding Apps - Overview
Zoho One supports adding and managing three different types of apps: Zoho apps These are the standard apps that came bundled with your Zoho One subscription. Marketplace apps These are Creator custom apps and single sign-on (SSO) connectors for apps ...Using Open ID Connect (OIDC) in Zoho One
As an OpenID provider, Zoho One (ZO) can help you in authenticating the users and getting authorization to access users profile information securely. This is done through the OIDC authentication protocol. Learn more about OIDC. In Zoho One, you can ...Add non-directory bookmarked/associated apps
Sign in to Zoho One , then click Directory in the left menu. Go to Applications, then click Add Application. Under Non-Directory App, click Add. Name the app and enter a description if needed. Click Select SSO mode, then select Linked Sign-On to add ...Marketplace
Marketplace is an online store where you can browse and install Zoho product extensions, custom applications, and industry solutions. It is also a place where you can set up telephony services for your organization. If you set up your business with ...
New to Zoho LandingPage?
Zoho LandingPage Resources