Overview
OpenID Connect is a protocol for authenticating users, built on top of the OAuth 2.0 authorization framework. Using CAS, you can act as an OpenID Connect Provider (OP), authenticating users using the OpenID Connect (OIDC) protocol, or as a relying party (RP) that requests user authorization from an OP.
Terminology
Access tokenA credential that is used to access protected resources. An access token is a string, and represents an authorization that is issued to the client.Authorization EndpointA resource on an OpenID Provider that accepts an authorization request from a client to perform authentication and authorization on a user. The authorization endpoint returns an authorization grant (or code) to the client in the Basic Client Profile. In the Implicit Client Profile, the authorization endpoint returns an ID token and access token to the client.Authorization grantA credential that represents a user’s authorization to access resources. This credential is used by a client to obtain an access token.ClaimInformation that is asserted about an entity. Examples of a claim include a phone number, given name, or surname.ID tokenA JSON Web Token (JWT) that contains claims about the authenticated user.Introspection EndpointA resource on an OpenID Provider that enables a client that holds an access token to retrieve information. The information is used to create the access token (such as the user name, granted scopes, or client ID).OpenID Provider (OP)An OAuth 2.0 authorization server that can provide claims to a client, or Relying Party (RP).Refresh TokenA token that is issued to the client by the OP. The token is used to obtain a new access token when the current access token expires or to obtain more access tokens.Relying Party (RP)Either a WebSphere Application Server configured as an OpenID Connect Client, or a client application that requires claims from an OpenID Provider (OP).ScopePrivilege or permission that is allowed to access resources of a third party.Token EndpointA resource on an OpenID Provider that accepts an authorization grant (or code) from a client in exchange for an access token, ID token, and refresh token.
Endpoints
authorization_endpoint | |
token_endpoint | |
userinfo_endpoint | |
registration_endpoint | |
end_session_endpoint | |
introspection_endpoint | |
revocation_endpoint | |
jwks_uri |
Example with a python client
First create a new virtual Environment and then install the followings:
$ pip install flask $ pip install requests requests_oauthlib
Then in your application.py can be as follows:
from random import SystemRandom from flask import Flask, request, redirect, session, url_for from requests_oauthlib import OAuth2Session import requests from jose import jwt random = SystemRandom() keys = requests.get('https://cas1.apiit.edu.my/cas/oidc/jwks').json() app = Flask(__name__) app.secret_key = 'super secret key' # To use http for openid Connect import os os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' CONFIG = { 'client_id': 'this will be provided by CAS after you have registered your service successfully', 'client_secret': "this will be provided by CAS after you have registered your service successfully", 'auth_url': 'https://cas1.apiit.edu.my/cas/oidc/authorize', 'token_url': 'https://cas1.apiit.edu.my/cas/oidc/accessToken', 'scope':['urn:globus:auth:scope:api.globus.org:all'],› 'redirect_uri': "http://localhost:5000/callback" } OIDC_CONFIG = { 'jwt_pubkeys': keys, 'scope': ['openid', 'email', 'profile'], 'expected_issuer': 'https://cas1.apiit.edu.my/cas/oidc', 'algorithm': 'RS256', } authorization_response = input('http://localhost:5000/callback') CONFIG.update(OIDC_CONFIG) @app.route('/login', methods=['GET']) def login(): provider = OAuth2Session(client_id=CONFIG['client_id'], scope=CONFIG['scope'], redirect_uri=CONFIG['redirect_uri']) nonce = str(random.randint(0, 1e10)) url, state = provider.authorization_url(CONFIG['auth_url'], nonce=nonce) session['oauth2_state'] = state session['nonce'] = nonce return redirect(url) @app.route('/callback', methods=['GET']) def callback(): provider = OAuth2Session(CONFIG['client_id'], redirect_uri=CONFIG['redirect_uri'], authorization_response=authorization_response, state=session['oauth2_state']) response = provider.fetch_token( token_url=CONFIG['token_url'], client_secret=CONFIG['client_secret']) session['access_token'] = response['access_token'] id_token = response['id_token'] claims = jwt.decode(id_token, key=CONFIG['jwt_pubkeys'], issuer=CONFIG['expected_issuer'], audience=CONFIG['client_id'], algorithms=CONFIG['algorithm'], access_token=response['access_token']) assert session['nonce'] == claims['nonce'] session['user_id'] = claims['sub'] session['user_email'] = claims['email'] session['user_name'] = claims['name'] return redirect(url_for('index'))