What is OIDC?
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. Where OAuth 2.0 enables authorisation, granting access to data and features from one application to another, OIDC authenticates users who have requested access to web applications, establishing a login session containing information about the logged-in user. Introduced by the OpenID Foundation in 2014, many companies have adopted OIDC as an alternative to SAML 2.0 to provide Single Sign-On (SSO) to their users.
OIDC provides a way to authenticate users to web applications, known as Relying Parties (RPs), by redirecting the user’s browser to the login page of an Identity Provider (IdP), then redirecting the user’s browser back to the RP with the outcome of the authentication.
The most commonly used OIDC flow is the Authorization Code Flow, where a code is returned to the RP via the user’s browser, then the RP issues a request to the IdP’s token endpoint in order to retrieve the ID token. Doing this prevents the user’s details from being passed via the browser and so reduces the chance of the user’s details being intercepted by a malicious party.
In addition to an ID token, OIDC allows RPs to request an access token in order to provide the RP authorised access to a protected resource such as an API to retrieve additional details relating to the authenticated user. OIDC also supports the issue of refresh tokens, allowing the RP to request a new ID or access token where the previously issued one has expired. The refresh token will only be swapped for an ID or access token if the refresh token has not been revoked or expired. This allows the RP to support long-running transactions while maintaining security.
Migrating from SAML
SAML has been a longstanding and widely used global standard, and a number of our clients come to us in later stages of their modernisation journey to migrate to OpenID Connect. We have helped organisations of various sizes by integrating OIDC services with the same centralised identity management system using the Microsoft Azure AD B2C platform, allowing them to offer SAML and OIDC services to the same user base through the use of the same login credential.
Condatis provide a migration path for organisations moving away from SAML to OIDC over time, while also continuing to support legacy services and protect your past investments.