openid connect authentication flow

The previous article introduced OAuth2.0 and how to use. NET to implement OAuth-based authentication, which complements the previous article by introducing the relationship and differences between OAuth and JWT and OpenID connect.The main contents of this article are:About JWT. NET's JWT implementationOAuth and JWT. NET using JWT Bearer token for OAuth authenticationOAuth and

, OAuth 2.0 feature integration protocol itself. (whereas integration of OAuth 1.0a and OpenID 2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities is int Egrated with the protocol itself. Do not understand this sentence)Normative organizationThe OpenID Connect1.0 specification consists of the following

authentication and authorization to protect resources, so the underlying security features cannot be implemented only at the business logic layer or the Service interface layer. In order to solve such problems, the following security architectures are often caused: In fact, the entire security problem is broken down into two areas: Authentication and API access. The so-called

manage data on behalf of the user and need to ensure that the user can access only the data that he allows. The most common examples are (classic) Web applications--but native and JS-based applications are also required for authentication.The most common authentication protocol is saml2p, ws-federation and OpenID connect--saml2p are the most popular and widely d

You should know. Use some specific terminology in the document and object model: OpenID Connect Provider (OP) Licensing serverThinktecture Identityserver v3 is an open source OpenID connect provider and OAUTH2 authentication Server on a. NET platform, and

authentication request, Then login to jump (we use oidc-client.js this open-source JS Library to handle the OIDC specification related to the operation). is the page after opening oidc-client-js.dev:JS Client launches authentication request directlyWe clicked Login.You can see that the client side has initiated a URL to the authentication request after 2 request

backend.third, authentication server as and resource server Rs1, authentication server, responsible for generating id_token and managing public key private key to authentication server, receiving gateway request (U+P), performing u+p authentication. Authentication success:

in profile scope are already out.Then the ID token to Jwt.io to decode:You can see that these two claims are not in the ID token, which means they come from the user information endpoint.What's in the ID token (official documentation: HTTP://OPENID.NET/SPECS/OPENID-CONNECT-CORE-1_0.HTML#IDTOKEN):A sub is the user's Subjectid, which is the user's identity.ISS is the issuer of the ID token.AUD is the target