It is an extension of OAuth 2.0 protocol where in it adds more information for application. In OAuth 2.0, application get security/authorization token which can be used to access downstream apis. With OpenID Connect, application can get information about end user and their profile information.
Flow:
Get an id_token
Retrieve profile information from the UserInfo endpoint using token
The id_token consists of 3 parts which are Base64url encoded separated by (.)
-header
-payload
-signature
For example
ewoiYWxnIjoiUlMyNTYiLAoia2lkIjoiMTIxMiIKfQ==.ewoic3ViIjoiUmFqIiwKImF1ZCI6ImltX29pY19jbGllbnQiLAoianRpIjoiMjY0OTg2MjM4NzY0MjM0IiwKImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTAzMSIsCiJpYXQiOjgzNDc1ODczNDk1ODczLAoiZXhwIjo5NzUwODQzMDUsCiJub25jZSI6InNqaGRranNhLWRzYWRhLWRzYWRhcywKImF0X2hhc2giOiJkaGZramRzbGtkc2pmbGtqc2QiCn0g.3ldksjflkdsjsdlkfsldkhflksdhsnfhsld79879dsfdsfsdfsdklf8sd90
We get above token and need to split them by (.) and then encode them by base64, we will get below 3 values
Header:
{
“alg”:”RS256″,
“kid”:”1212″
}
Payload:
{
“sub”:”Raj”,
“aud”:”im_oic_client”,
“jti”:”264986238764234″,
“iss”:”https:\/\/localhost:9031″,
“iat”:83475873495873,
“exp”:975084305,
“nonce”:”sjhdkjsa-dsada-dsadas,
“at_hash”:”dhfkjdslkdsjflkjsd”
}
Signature:
3ldksjflkdsjsdlkfsldkhflksdhsnfhsld79879dsfdsfsdfsdklf8sd90
One needs to perform some validations to make sure that the token is received from trusted client.
One can verify some data from payload, like iss etc.
Lets get the configuration of ID connect
https://localhost:9031/.well-known/openid-configuration
It will return payload with details having token_endpoint,jwks_uri, userinfo_endpoint, scopes_supported
Application can check the userinfo_endpoint and get the user info/profile details.