/
Connector - OpenID Connect (SSO - SLO)

Connector - OpenID Connect (SSO - SLO)

Owned by bassam.elkhoury
Last updated: sept. 26, 2024
4 min read

Context:

This purpose of this documentation is to document the interactions between Edifice and third party clients via OpenId Connect (OIDC).

 

Headlines:

Authentication Flow:

Edifice has supports the following flows:

  • Authorization Code

  • Resource Owner Password

  • Client Credential

1 - Authenticate users via EDIFICE:

If you are a publisher or an application user, request Edifice Support to register your application, also note that Edifice does not support Dynamic client registration

Create a new connector of type OAuth 2.0 from the admin console

Fields to configure from Edifice:

  • Identifier: [client_id] this is your unique identifier oAuth2

  • URL: Thew external address to which you wish to access.

  • openId: ???

  • Scope: Access authorization to user info from the external application which is has to be openId.

  • Identification Mode: Use code for a web application and password for a mobile application.

  • Client secret: Parameter used to secure communication.

Configuration from third-party side:

2 - Test OIDC access to your application client:

1 - Retrieve generation token code

From your browser, enter the URL valid for your use case. You will then be redirected towards the service URL with the response code included in the parameter URL.

Note that If the user is not connected to the Edifice platform he will be redirected automatically to the login page.

  • URL example:

https://domaine.ent/auth/oauth2/auth?response_type=code&state=blip&scope=openid&client_id=duck&redirect_uri=http://duckduckgo.com

The response should look like the following:

https://www.duckduckgo.com/?code=9ddf3256-7e5d-4708-a121-dfbe5f6dba75&state=blip

Note that the URL https://www.duckduckgo.com is used as client in this example. You need to replace it with you URL client.

 

2- Retrieve Token

The ID token, used to authenticate the user, is retrieved along with the Access Token when the scope ‘openid’ is used.

Aside from the required fields stated in section 2 of the OIDC official doc., the ID Token also includes the following:

  • sub : User Id

  • email : User email address if it exists

  • name : User display name

Using a request client HTTP such as cUrl, Postman, Insomnia etc … We can get the Token needed in order to proceed with the authentication procedure by following these steps:

  • Example with cUrl:

curl -i -X POST -H "Authorization:Basic ZmFxMnNjaWVuY2VzOmZhcTJzY2llbmNlcy1zZWNyZXQ=" -H "Content-Type:application/x-www-form-urlencoded" -H "Accept:application/json; charset=UTF-8" -d "grant_type=authorization_code&code=9ddf3256-7e5d-4708-a121-dfbe5f6dba75&redirect_uri=http%3A%2F%2Fduckduckgo.com" https://domaine.ent/auth/oauth2/token

  • Response after a successful request:

  • "access_token": "bd333cb4-b790-4b67-96e0-5e559d7717a9" :

    • Used to access protected resources by the server

  • "id_token": "eyJ0eXAi..." :

    • contains the userInfos encoded in JWT, it can be decoded to extract userInfo.

3- Retrieve standard attributes in accordance with OpenId Connect

Here are some useful attributes obtained from the UserInfo request:

  • sub: User ID.

  • name: Display name

  • given_name: Name.

  • family_name: Last name.

  • preferred_username: Shorthand name by which the End-User wishes to be referred to.

  • email: User email address.

  • phone_number: User phone number.

Here you can find the full list of attributes provided

In order to access these attributes, it’s necessary to add the parameter GET ‘version=oidc1.0’ to the standard request.

  • Example:

In the "Authorization:Bearer " header we need to pass the access_token previously obtained.

The user should be redirected towards the third party URL with the userInfos

3 - OIDC Back-Channel Logout and Single Logout (SLO)

Edifice Admin setup:

In the connectors section linked to the selected structure in the admin console add the logout URL in order to receive the user logout infos from your Identity system provider.

image-20240229-111252.png
field in the admin panel of the ENT

Fetch User Logout Token :

After verification, each service associated receives a logout token in JWT format via Logout URL already filled in the admin panel.

The response is in JSON encoded base 64 and signed with a public Key. After decryption it contains the user infos.

Response after decryption:

 

References:

 

Related content

Connector - OAuth 2.0 - SSO and API
Connector - OAuth 2.0 - SSO and API
Framework
More like this
Connecteur - OpenID Connect (SSO et SLO)
Connecteur - OpenID Connect (SSO et SLO)
Edifice
More like this
Connecteur - OAuth 2.0 - SSO et API
Connecteur - OAuth 2.0 - SSO et API
Edifice
More like this