{"_id":"5a0b0d9b04d0d600269f1386","category":{"_id":"5a0b0d9b04d0d600269f1376","version":"5a0b0d9b04d0d600269f1373","project":"573c7e3b9eef3a0e00b51c58","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2016-09-13T19:58:29.432Z","from_sync":false,"order":2,"slug":"itegration-guide","title":"Integration Guide"},"user":"573c7e0afe58321900f1b97d","project":"573c7e3b9eef3a0e00b51c58","version":{"_id":"5a0b0d9b04d0d600269f1373","project":"573c7e3b9eef3a0e00b51c58","__v":1,"createdAt":"2017-11-14T15:36:59.500Z","releaseDate":"2017-11-14T15:36:59.500Z","categories":["5a0b0d9b04d0d600269f1374","5a0b0d9b04d0d600269f1375","5a0b0d9b04d0d600269f1376","5a0b0d9b04d0d600269f1377","5a0b0d9b04d0d600269f1378"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"2.0.0","version":"2.0"},"__v":0,"parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-09-13T20:41:52.853Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":2,"body":"OpenID Connect (OIDC)is a simple identity layer on top of the OAuth 2.0 protocol. It allows Relying Parties to securely verify the identity of the End-User based on the authentication performed by the Privakey Service.\n\nOnce Enabled, authenticating a user involves obtaining an ID token and validating it. ID tokens are a standardized feature of OIDC designed for use in sharing identity assertions on the Internet. A relying party will use the ID Token to determine who has successfully authenticated to the Privakey service.  \n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Basic Privakey Open ID Connect Code Flow\"\n}\n[/block]\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/6f2b359-Picture1.png\",\n        \"Picture1.png\",\n        485,\n        815,\n        \"#d6d6d6\"\n      ],\n      \"caption\": \"OpenID Connect 2.0 Code Flow\"\n    }\n  ]\n}\n[/block]\nWhile Enabling the OIDC Protocol the Relying Party user model will need to be extended to, minimally include a User’s Privakey GUID.  That way, when a user authenticates via Privakey, the Relying Party service can associate the Privakey User GUID with the Relying Party system GUID.  \n\n[block:callout]\n{\n  \"type\": \"info\",\n  \"title\": \"OpenID Connect Code Flow\",\n  \"body\": \"While Implicit Flow is enabled and available, Privakey strongly recommends Relying Parties implement the more secure Code Flow\"\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Consider Using a Pre-Existing Library\"\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"warning\",\n  \"body\": \"Given the security implications of getting the implementation correct, Privakey encourages Relying Parties to take advantage of a pre-written library. Authenticating users properly is important to their and your safety and security, and using well-debugged code written by others is generally a best practice.  There are a number of OpenID Connect Client libraries available online.  Search for Privakey on [GitHub.com](https://github.com) to start; [Openid.net](http://openid.net) and Google also have a number of well vetted and tested libraries available.  \\n\\nIt is beyond the scope of this document to provide a comprehensive tutorial on implementing OpenID Connect. If you have any questions we recommend referencing the above noted resources.  You may also visit [www.privakey.com](https://www.privakey.com) or contact [support:::at:::privakey.com](mailto:support@privakey.com) for more information.  \\n\\nWhat follows is a high level discussion on implementing OpenID Connect Authentication.  If your service is already leveraging an open source or commercial authentication service, there is likely a library available that will allow you to introduce significant amounts of this implementation by installing extensions and providing Privakey specific configuration rather than writing code.  For an example of this type of implementation, please refer to the Appendices.\",\n  \"title\": \"Important Note\"\n}\n[/block]","excerpt":"","slug":"enable-openid-connect-protocol","type":"basic","title":"The OpenID Connect Protocol"}

The OpenID Connect Protocol


OpenID Connect (OIDC)is a simple identity layer on top of the OAuth 2.0 protocol. It allows Relying Parties to securely verify the identity of the End-User based on the authentication performed by the Privakey Service. Once Enabled, authenticating a user involves obtaining an ID token and validating it. ID tokens are a standardized feature of OIDC designed for use in sharing identity assertions on the Internet. A relying party will use the ID Token to determine who has successfully authenticated to the Privakey service. [block:api-header] { "type": "basic", "title": "Basic Privakey Open ID Connect Code Flow" } [/block] [block:image] { "images": [ { "image": [ "https://files.readme.io/6f2b359-Picture1.png", "Picture1.png", 485, 815, "#d6d6d6" ], "caption": "OpenID Connect 2.0 Code Flow" } ] } [/block] While Enabling the OIDC Protocol the Relying Party user model will need to be extended to, minimally include a User’s Privakey GUID. That way, when a user authenticates via Privakey, the Relying Party service can associate the Privakey User GUID with the Relying Party system GUID. [block:callout] { "type": "info", "title": "OpenID Connect Code Flow", "body": "While Implicit Flow is enabled and available, Privakey strongly recommends Relying Parties implement the more secure Code Flow" } [/block] [block:api-header] { "type": "basic", "title": "Consider Using a Pre-Existing Library" } [/block] [block:callout] { "type": "warning", "body": "Given the security implications of getting the implementation correct, Privakey encourages Relying Parties to take advantage of a pre-written library. Authenticating users properly is important to their and your safety and security, and using well-debugged code written by others is generally a best practice. There are a number of OpenID Connect Client libraries available online. Search for Privakey on [GitHub.com](https://github.com) to start; [Openid.net](http://openid.net) and Google also have a number of well vetted and tested libraries available. \n\nIt is beyond the scope of this document to provide a comprehensive tutorial on implementing OpenID Connect. If you have any questions we recommend referencing the above noted resources. You may also visit [www.privakey.com](https://www.privakey.com) or contact [support@privakey.com](mailto:support@privakey.com) for more information. \n\nWhat follows is a high level discussion on implementing OpenID Connect Authentication. If your service is already leveraging an open source or commercial authentication service, there is likely a library available that will allow you to introduce significant amounts of this implementation by installing extensions and providing Privakey specific configuration rather than writing code. For an example of this type of implementation, please refer to the Appendices.", "title": "Important Note" } [/block]