Aggregated and distributed OpenID claims support in Connect2id server 6.11
Relaying OpenID claims from other providers
The primary purpose of an OpenID Connect provider is to authenticate users for client applications, the secondary provisioning claims (attributes) about users. Normally these claims are asserted directly by the OpenID provider, from locally stored and managed user data.
An OpenID provider, however, can also relay claims from other providers:
-
As aggregated claims – by passing the external claims in a JWT signed by their provider; the client can check the claims’ origin by validating the JWT signature.
-
As distributed claims – by supplying the client with the endpoint URL of the external claims provider where it can fetch the claims by itself, using a bearer access token.
Example UserInfo endpoint response which
includes aggregated claims besides the normal ones; the client can obtain the
email
and email_verified
claims supplied by email-provider
from the JWT:
{
"sub" : "alice",
"name" : "Alice Adams",
"_claim_names" : { "email" : "email-provider",
"email_verified" : "email-provider" },
"_claim_sources" : { "email-provider" : { "JWT" : "eyooweeSh7..." } }
}
Example UserInfo response which includes distributed claims:
{
"sub" : "alice",
"_claim_names" : { "credit_score" : "credit-score-provider" },
"_claim_sources" : { "credit-score-provider" : {
"endpoint" : "https://credit-scores.com/claims",
"access_token" : "sheeFei5Ute5oor0" } }
}
The client app can then fetch the user’s credit score with an HTTP request like this:
GET /claims HTTP/1.1
Host: credit-scores.com
Authorization: Bearer sheeFei5Ute5oor0
The claim(s) will be returned in a JSON object, or packaged in a JWT, just like regular UserInfo responses.
Relaying external claims with the Connect2id server
The new 6.11 release of the Connect2id server adds support for relaying external claims. To do that create a connector for each external claims provider, using the existing ClaimsSource SPI.
Check out the following guides to find out how:
Download
To download a ZIP package of Connect2id server 6.11:
https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/6.11/Connect2id-server.zip
(SHA-256: 80a8dc1d2cce3a080228c2ce6b256f9c940da4ea9bf58a3be3d1fb788c8854db)
As WAR package only:
https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/6.11/c2id.war
(SHA-256: 2813a32cb7b540284a095b5c0264ed75e7e0c12d34dafbedce842bdd90a76c89)
Questions?
Get in touch with Connect2id support.
Release notes
6.11 (2017-07-08)
General
- Adds support for sourcing external aggregated and distributed OpenID claims, as specified in OpenID Connect Core 1.0, section 5.6.2. External claims can be set via the existing ClaimsSource SPI available in the Connect2id server SDK (com.nimbusds:c2id-server-sdk:3.10.1).
Configuration
- No changes
Web API
- No changes
Issues
- None
Dependencies
- Upgrades to com.nimbusds:oauth2-oidc-sdk:5.30