Datasheet
1. Server endpoints
The Connect2id server supports the standard OAuth 2.0 / OpenID Connect endpoints for single sign-on (SSO), authorisation and identity provision. It also provides a number of powerful RESTful and native interfaces to enable integration of end-user, reporting and administration interfaces / tools.
Standard OAuth 2.0 / OpenID Connect endpoints
-
Provider metadata Advertises the standard OAuth 2.0 / OpenID Connect endpoint URLs, identity provider capabilities and supported security (JOSE + JWT) algorithms.
-
Provider JWK set Publishes the provider’s public JSON Web Key (JWK) set and certificate chain, required by client applications to verify the issued ID tokens and other objects.
-
Client registration Registers client applications with the Connect2id server, so they can create SSO sessions for end-users and receive ID and access tokens. The endpoint can be operated in a public (open registration) or private mode. Supports the optional client read, update and delete operations.
-
Authorisation The standard OAuth 2.0 endpoint for receiving OpenID Connect authentication (login) requests from client applications.
-
Token The standard OAuth 2.0 endpoint for exchanging authorisation codes, refresh tokens, resource owner passwords and client credentials for an access, refresh and / or ID token.
-
Token revocation Standard endpoint for client applications to revoke issued access and refresh tokens.
-
UserInfo Protected resource for releasing consented claims (name, contact and other details) about the subject (end-user).
Integration & plugin interfaces
-
Authorisation session Provides login page (UI) integration, plug-in of arbitrary end-user authentication methods and custom business / authorisation logic for setting the claims and scopes of the issued ID and access tokens.
-
Direct authorisation Enables creation of SSO sessions and ID / access tokens directly, without any end-user interaction. Can be used to federate external identity providers, such as business partners and social logins.
-
Authorisation store Enables query, update and revocation of issued OAuth 2.0 / OpenID Connect authorisations and the associated access and refresh tokens.
-
Subject session Enables query, access and management of the end-users’ SSO sessions with the Connect2id server.
-
Claims source Integrates OpenID Connect claims sources, such as LDAP directories, SQL databases and HR management systems.
-
Password grant handler Enables plug-in of authorisation logic for handling OAuth 2.0 resource owner password credentials grants.
-
Client credentials grant handler Enables plug-in of authorisation logic for handling client OAuth 2.0 credentials grants.
2. Supported OAuth 2.0 / OpenID Connect response types
The Connect2id server supports the following response
types. The server can be
configured to accept only a subset of these, either for the entire provider or
on a per client basis. The code id_token token
response type is not supported
in this release. The token
response is generally not supported as it falls
outside the scope of OpenID Connect; clients should use token id_token
instead.
-
code Used to request an ID token and access token at the Token endpoint.
-
id_token Used to request an ID token (implicit grant).
-
token id_token Used to request an ID token and access token (implicit grant).
-
code id_token Used to request an ID token with the authorisation response as well as an ID token and access token at the Token endpoint.
3. Supported OAuth 2.0 grant types
The Connect2id server supports all core OAuth 2.0 grant types. The server can be configured to accept only a subset of these, either for the entire provider or on a per client basis.
-
authorization_code Used in the authorisation code flow.
-
implicit Used in the implicit flow.
-
refresh_token Used for long-lived authorisations.
-
password Used for highly-trusted or privileged client applications, when the other safer grant types (e.g.
authorisation_code
) are not available. -
client_credentials Used by clients acting on their own behalf (the client is also the resource owner).
4. Supported subject identifier types
The Connect2id server supports public subject identifiers. Pairwise subject identifiers are on the roadmap.
- public Public subject identifier
5. OpenID Connect authentication request parameters
The Connect2id server supports the mandatory to implement authentication request parameters for all OpenID Connect providers. Support for the optional request objects, passed directly or by URI reference, is on the roadmap.
-
Supported OAuth 2.0 parameters : response_type, client_id, scope, redirect_uri, state
-
Supported OpenID Connect parameters : nonce, display, prompt, max_age, ui_locales, claims_locales, id_token_hint, login_hint, acr_values, claims
-
Unsupported OpenID Connect parameters : registration, request, request_uri
6. Supported client authentication methods
The Connect2id server supports all standard client authentication methods that are based on a provider-issued client secret. Support for private key JWT assertions is on the roadmap.
- client_secret_basic Basic HTTP authentication with client secret
- client_secret_post Basic HTTP authentication with client secret
- client_secret_jwt JWT assertion authentication with client secret
7. Supported ID token algorithms
The Connect2id server supports JSON Web Signature (JWS) protected ID tokens. Support for encrypted ID tokens is on the roadmap.
-
RS256, RS384, RS512, PS256, PS384, PS512 The ID token is signed with the provider’s RSA JWK.
-
HS256, HS384, HS512 The ID token is integrity protected with the provider-issued client secret.
8. Supported claim types
The Connect2id server issues normal claims. Aggregated and distributes claims, asserted by a claims provider other than the OpenID provider, will be supported in a future release.
- normal Claims directly asserted by the provider.
9. Offline access
The Connect2id server supports authorisations bound to a subject’s session as well as offline access by means of long-lived OAuth 2.0 refresh tokens.
10. Subject (end-user) authentication
Traditional password-based authentication of end-users as well as stronger two-factor methods are supported.
Upon successful login a client application may be informed of the employed
authentication strength and methods, communicated through the standard acr
and amr
ID token claims.
The Connect2id server supports integration of arbitrary authentication methods. Microsoft Active Directory / LDAP is supported out of the box, through an LdapAuth service.
11. Claims data sources
The Connect2id server supports aggregation of claims (standard UserInfo and others), with optional language tags, from one or more data sources.
Sourcing of end-user claims from Microsoft Active Directory / LDAP is supported out of the box.
12. Access token types
The Connect2id server supports both types of OAuth 2.0 access tokens – identifiers and self-contained authorisations.
-
Secure random identifier The access token is represented by a secure random identifier. The corresponding authorisation can be looked up by a RESTful call to the Connect2id token introspection endpoint.
-
Self-contained The access token is represented by a JSON Web Token (JWT) signed with the provider’s RSA key. The supported JWS algorithms are RS256, RS384, RS512, PS256, PS384 and PS512. The following fields can be included in the JWT: subject, client identifier, issuer, audience, scope, token issue time, token expiration time, consented claims, associated subject session identifier, optional custom data. The corresponding authorisation for a self-contained token can still be looked up by a RESTful call to the Connect2id token introspection endpoint.
13. High-availability and scaling
The Connect2id server can be run in two modes.
-
Single server The Connect2id server runs in a single server instance.
-
Cluster The Connect2id server runs in a replicated cluster configuration for high-availability and load-balancing. Server nodes can be added or removed dynamically.
Questions or comments? Get in touch with Connect2id support.