Introduction to OpenID Connect

It is an extension of OAuth 2.0 protocol where in it adds more information for application. In OAuth 2.0, application get security/authorization token which can be used to access downstream apis.  With OpenID Connect, application can get information about end user and their profile information.

Flow:
Get an id_token
Retrieve profile information from the UserInfo endpoint using token

The id_token consists of 3 parts which are Base64url encoded separated by (.)
-header
-payload
-signature

For example

ewoiYWxnIjoiUlMyNTYiLAoia2lkIjoiMTIxMiIKfQ==.ewoic3ViIjoiUmFqIiwKImF1ZCI6ImltX29pY19jbGllbnQiLAoianRpIjoiMjY0OTg2MjM4NzY0MjM0IiwKImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTAzMSIsCiJpYXQiOjgzNDc1ODczNDk1ODczLAoiZXhwIjo5NzUwODQzMDUsCiJub25jZSI6InNqaGRranNhLWRzYWRhLWRzYWRhcywKImF0X2hhc2giOiJkaGZramRzbGtkc2pmbGtqc2QiCn0g.3ldksjflkdsjsdlkfsldkhflksdhsnfhsld79879dsfdsfsdfsdklf8sd90

We get above token and need to split them by (.) and then encode them by base64, we will get below 3 values

Header:
{
“alg”:”RS256″,
“kid”:”1212″
}

Payload:

{
“sub”:”Raj”,
“aud”:”im_oic_client”,
“jti”:”264986238764234″,
“iss”:”https:\/\/localhost:9031″,
“iat”:83475873495873,
“exp”:975084305,
“nonce”:”sjhdkjsa-dsada-dsadas,
“at_hash”:”dhfkjdslkdsjflkjsd”
}

Signature:
3ldksjflkdsjsdlkfsldkhflksdhsnfhsld79879dsfdsfsdfsdklf8sd90

One needs to perform some validations to make sure that the token is received from trusted client.
One can verify some data from payload, like iss etc.

Lets get the configuration of ID connect
https://localhost:9031/.well-known/openid-configuration  
It will return payload with details having token_endpoint,jwks_uri, userinfo_endpoint, scopes_supported

Application can check the userinfo_endpoint and get the user info/profile details.