OpenID Connect

SWITCH edu-ID supports OpenID Connect which can be conveniently used for the following use cases:

Confidential clients:

  • Server-based web applications

Public clients:

  • Browser-based web applications
  • Mobile apps (AppAuth)
  • Native applications

The OpenID Connect protocol is provided by the same Shibboleth IdP instance that also supports SAML. This means that many functionalities known from edu-ID with SAML are also available under OpenID Connect. Common features available with OIDC and SAML include

  • Usage of the same underlying user accounts and attribute information
  • A user encounters the same login user interface
  • A user gets the same user consent
  • support for 2-step authentication

However, there are also some differences: Some attribute names (claims) are different, and client registration requires other OIDC-specific information and it is performed manually for the time being.

It is planned to continuously extend the functionality of the OIDC service. Please contact the edu-ID Team to make suggestions for new features.

Highlights

  • For security reasons only the authorization code flow (response_type=code) is supported.
  • Relying Parties must be explicitly registered using the Resource Registry. More details can be found at Service Registration. Dynamic client registration is not supported.
  • The authenticity and legitimacy of clients is ensured for:
    • confidential clients, who can keep a secret, by storing either a private key or a shared secret.
    • public clients, who can't keep a secret, by checking their ownership of the redirection URI. In addition, public clients MUST use PKCE.
  • OIDC IdP configuration and endpoints:

References