Connect2id server datasheet
The Connect2id server supports the following standard OpenID Connect endpoints as well as a number of RESTful endpoints for integrating the service with user, reporting and administration interfaces. The OpenID Connect session management endpoint is not supported in this release.
Standard OpenID Connect / OAuth 2.0 endpoints
Provider metadata Advertises the OpenID Connect provider’s standard endpoints, capabilities and supported JOSE + JWT algorithms.
Provider JWK set Publishes the provider’s JSON Web Key (JWK) set and certificate chain used to secure the issued ID tokens and other artifacts.
Client registration Endpoint for registering the OpenID Connect clients for the provider. Can be operated in a public (open registration) or private mode. Supports client add, read, update and delete operations.
Authorisation The standard OAuth 2.0 endpoint for receiving OpenID Connect authentication (login) requests from client applications.
Token The standard OAuth 2.0 endpoint for exchanging authorisation codes and refresh tokens for an access and / or ID token.
UserInfo Protected resource for releasing consented claims (name, contact and other details) about the subject (end-user).
Authorisation session endpoint Enables integration of one or more login UIs for authenticating subjects and obtaining their consent. Supports arbitrary authentication methods. Supports modification of the authorisation scope. Supports implicit and explicit claims consent. Supports injection of custom (preset) ID token and UserInfo claims.
Direct authorisation endpoint Enables direct creation of OpenID Connect sessions and tokens, for the purpose of federating identities from business partners and social networks.
Authorisation store endpoint Enables reporting, management and revocation of granted authorisations (scope, claims) for each subject and client. Also supports direct issue of access and refresh tokens.
Subject session endpoint Enables creation, lookup, reporting, removal and expiration of subject sessions with the provider. Supports storage or arbitrary data in the session object.
Supported OpenID Connect / OAuth 2.0 response types
The Connect2id server supports the following response types. The server can be
configured to accept only a subset of these, either for the entire provider or
on a per client basis. The
code id_token token response type is not supported
in this release. The
token response is generally not supported as it falls
outside the scope of OpenID Connect.
code Used to request an ID token and access token at the Token endpoint.
id_token Used to request an ID token (implicit grant).
token id_token Used to request an ID token and access token (implicit grant).
code id_token Used to request an ID token with the authorisation response as well as an ID token and access token at the Token endpoint.
Supported OAuth 2.0 grant types
The Connect2id server supports the following grant types. The server can be configured to accept only a subset of these, either for the entire provider or on a per client basis.
authorization_code Used in the authorisation code flow.
implicit Used in the implicit flow.
refresh_token Used for long-lived authorisations.
Supported subject identifier types
The Connect2id server supports public subject identifiers. Pairwise subject identifiers are not supported in this release.
- public Public subject identifier
OpenID Connect authentication request parameters
The Connect2id server supports the mandatory to implement authentication request parameters for all OpenID Connect providers. Optional request objects, passed directly or by URI reference, are not supported in this release.
Supported OAuth 2.0 parameters : response_type, client_id, scope, redirect_uri, state
Supported OpenID Connect parameters : nonce, display, prompt, max_age, ui_locales, claims_locales, id_token_hint, login_hint, acr_values, claims
Unsupported OpenID Connect parameters : registration, request, request_uri
Supported client authentication methods
The Connect2id server supports all standard client authentication methods that are based on a provider-issued client secret. Private key JWT assertions are not supported in this release.
- client_secret_basic Basic HTTP authentication with client secret
- client_secret_post Basic HTTP authentication with client secret
- client_secret_jwt JWT assertion authentication with client secret
Supported ID token algorithms
The Connect2id server supports JSON Web Signature (JWS) protected ID tokens. Encrypted ID tokens are not supported in this release.
RS256, RS384, RS512, PS256, PS384, PS512 The ID token is signed with the provider’s RSA JWK.
HS256, HS384, HS512 The ID token is integrity protected with the provider-issued client secret.
Supported claim types
The Connect2id server issues normal claims. Aggregated and distributes claim types, asserted by a claims provider other than the OpenID provider, are not supported in this release.
- normal Claims directly asserted by the provider.
The Connect2id server supports authorisations bound to a subject’s session as well as offline access by long-lived OAuth 2.0 refresh tokens.
The Connect2id server supports arbitrary end-user authentication methods, such
as simple password based authentication or two-factor authentication, through
its authorisation session endpoint at the time of login. Client applications
can be informed of the applied authentication strength and method through the
amr ID token claims.
Claims data sources
The Connect2id server supports aggregation of claims (standard UserInfo and others), with optional language tags, from one or more data sources, through a Java SPI. An LDAP directory-based claims source provider is included out of the box. Connect2id provides support for integrating claims sources, such as SQL databases or HR web APIs.
Access token types
The Connect2id server supports both types of OAuth 2.0 access tokens – identifiers and self-contained authorisations.
Secure random identifier The access token is represented by a secure random identifier. The corresponding authorisation can be looked up by a RESTful call to the Connect2id token introspection endpoint.
Self-contained The access token is represented by a JSON Web Token (JWT) signed with the provider’s RSA key. The supported JWS algorithms are RS256, RS384, RS512, PS256, PS384 and PS512. The following fields can be included in the JWT: subject, client identifier, issuer, audience, scope, token issue time, token expiration time, consented claims, associated subject session identifier, optional custom data. The corresponding authorisation for a self-contained token can still be looked up by a RESTful call to the Connect2id token introspection endpoint.
High-availability and scaling
The Connect2id server can be run in two modes.
Single server The Connect2id server runs in a single server instance.
Cluster The Connect2id server runs in a replicated cluster configuration for high-availability and load-balancing. Additional server nodes can be added dynamically.
Questions or comments? Get in touch with Connect2id support.