1. Administering Oracle Access Management
  2. Managing the Oracle Access Management OAuth Service and OpenIDConnect
  3. Understanding OpenIDConnect

36 Understanding OpenIDConnect

OpenIDConnect implements authentication as an extension to the OAuth 2.0 authorization process. Use of this extension is requested by Clients by including the openid scope value in the Authorization Request.

Note:

OpenIDConnect with Detached Credential Collector (DCC) is not supported. Also see, Overview of Access Manager Credential Collection.

OpenIDConnect provides information about the end-user in the form of an id_token. This token verifies the identity of the user and provides basic profile information about the end-user. OpenIDConnect is enabled by default as a part of the OAM 12cBP01 installation process.

This section describes the following topics:

See Also:

36.1 About OpenIDConnect Tokens

OpenIDConnect generates a token namely, OpenIDConnect ID Token.

In addition to OAuth Access and refresh tokens, OpenIDConnect considers an identity token (ID Token). The primary extension that OpenIDConnect makes to OAuth 2.0 to enable End-Users to be authenticated is the ID Token data structure.

See

36.1.1 OpenIDConnect ID Token

An ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims.

The Claims of an ID Token include subject, issuer, audience, and timestamps. The following table lists out the Claims used within the ID Token for all OAuth 2.0 flows used by OpenIDConnect:

Table 36-1 Claims within the ID Token used by OpenIDConnect

Field Description Type Required/Optional

iss

Issuer Identifier for the Issuer of the response.

String

Required

sub

Subject Identifier.

String

Required

aud

Audience that this ID Token is intended for.

String

Required

exp

Expiration time on or after which the ID Token MUST NOT be accepted for processing.

String

Required

iat

Time at which the JWT was issued.

String

Required

auth_time

Time when the End-User authentication occurred.

String

Required

Nonce

Value used to associate a Client session with an ID Token, and to mitigate replay attacks.

String (case-sensitive)

Required

acr

Value of the authentication level.

String (case-sensitive)

Optional

amr

Identifier for a family of closely related authentication methods. See Authentication Method Reference Values.

an array of case sensitive strings

Optional

azp

Identifier of the party that is intended to use the access token and to request resources.

String (case-sensitive)

Optional

sid

Value of the encrypted token that contains session identifier and details.

String (case-sensitive)

Optional

Note:

nonce value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used.

Sample of a set of claims in an ID Token: 

{
"iss": "http://host1:14100/oauth2",
"sub": "weblogic",
"aud": ["MDCClient19","http://host1:14100/oauth2"],
"exp": 1509626702,
"iat": 1509623102,
"auth_time": "1509623099159",
"jti": "_UC4Ew-NUTYQsMOXCoMo0g",
"at_hash": "5CnkOBb_Mk28GYJlhC_Srg",
"azp": "MDCClient19",
"acr": "2",
"sid": "gO5pDtJFt+7bH/YQC8QpUQ==~teJOlstvBcUXT8xXcmaIG1ppGMAmBLKqPuJUKnzLyX3spmDtWwgDm/qj5hhoyPhSiqAghOgFmE+kpsm8esEEsbZht+L5dkL27JUSUbAGBBmwlR/8QlxLTE0cEoNJ+9aJ",
"amr": ["pwd"]
}

36.2 Claims

The Client obtains Claims about the end-user and the authentication event. Standard claims can be requested to be returned either in the userinfo response or in the ID token. When the access token has the e-mail and phone openid scope , these claims are populated in the ID Token. Any other claims about the end user can be retrieved from the UserInfo endpoint.

Table 36-2 Claims used by OpenIDConnect

Field Description Type Required/Optional

sub

Identifier for the end-user at the issuer.

string

Required

name

Full name of the end-user in displayable form including all name parts, possibly including titles and suffixes, ordered according to the end-user's locale and preferences.

string

Required

given_name

Given name(s) or first name(s) of the end-user. Separate multiple given names using space characters, as applicable for different cultures.

string

Required

family_name

Surname(s) or last name(s) of the end-user.

Separate multiple family names using space characters, as applicable for different cultures.

string

Required

preferred_username

Shorthand name by which the end-user wishes to be referred to at the Client, such as janedoe or j.doe.

string

Required

email

Preferred e-mail address of the end-user.

string

Required

email_verified

True if the end-user's e-mail address has been verified.

False if the end-user's e-mail address has been verified.

boolean

Required

gender

Gender of the end-user, male or female or other.

string

Required

Locale

Location of the end-user.

String

Required

phone_number

Preferred telephone number of the end-user.

String

Required

phone_number_verified

True if the end-user's phone number has been verified.

False if the end-user's phone number has been verified.

boolean

Required

address

Preferred postal address of the end-user.

JSON object

Required

updated_at

Time the end-user's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

number

Required