Integration interfaces

The Connect2id server comes with a set of interfaces to let deployments plug in their own data sources, branded user journeys and business-specific authorisation logic. These can be:

  • Web interfaces -- With focus on flexibility, based on REST and JSON;
  • Java Service Provider Interfaces (SPI) -- With focus on performance with Java- based modules; can implement web hooks to services for additional flexibility.

To run your own OpenID Connect provider / OAuth 2.0 server you only need to link a user authentication source and UI via the authorisation session web API. The remaining integration points are optional.

Interface Type Requirement Purpose
Authorisation session web required Integrate your branded login page (UI), your subject (end-user) authentication methods and your business / authorisation logic for setting the claims and scopes of the issued ID and access tokens.
Logout session web optional Integrate a logout page (UI) for receiving end-session requests from OpenID applications as well as internal IdP services.
Direct authorisation web optional Create SSO sessions and obtain ID / access tokens directly, without any end-user interaction. Can be used to federate external identity providers, such as business partners and social logins from Facebook, Twitter, etc.
Authorisation store web optional Query, update and revoke issued OAuth 2.0 / OpenID Connect authorisations as well as associated access and refresh tokens.
Subject session store web optional Query, access and manage the SSO sessions of subjects (end-users) with the Connect2id server.
Security Token Service (STS) web optional Request issue of JAR and private_key_jwt JWTs when the Connect2id server acts an OAuth 2.0 client / OpenID relying party.
Monitoring web optional Obtain server usage and performance metrics, run health-checks.
Configuration check web optional Validate a Connect2id server configuration before applying it.
Tenants registry web optional Manage Connect2id server tenants (multitenant edition only)
Claims source SPI required Integrate OpenID Connect claims sources, such as LDAP directories, SQL databases and HR management systems.
Password grant handler SPI optional Plug in logic for handling OAuth 2.0 resource owner password credentials grants.
Client credentials grant handler SPI optional Plug in logic for handling client OAuth 2.0 credentials grants.
JWT bearer assertion grant handler SPI optional Plug in logic for handling client-issued and third-party issued (token service) JWT bearer assertion grants.
SAML 2.0 bearer assertion grant handler SPI optional Plug in logic for handling client-issued and third-party issued (token service) SAML 2.0 bearer assertion grants.
Token exchange grant handler SPI optional Plug in logic for handling token exchange, including impersonation (act-as) and delegation (on-behalf-of) scenarios.
Token issue events SPI optional Relay access and ID token issue events to other services.
Custom access token encoding and introspection SPI optional Customise access token encoding and introspection responses.
Custom token response SPI optional Customise token success and error responses.
Client registration interceptor SPI optional Intercept HTTP requests at the client registration endpoint to handle software statements and other signed requests.
Client metadata validator SPI optional Carry out additional validation or shaping of OAuth 2.0 client / OpenID relying party registration metadata after the Connect2id server has completed the standard validations.
Authorisation request validator SPI optional Carry out additional validation and optional modification of received authorisation requests.
PAR validator SPI optional Carry out additional validation and optional modification of received Pushed Authorisation Requests (PAR).
Private key JWT certificate verifier SPI optional Verify qualified X.509 certificates for private key JWT client authentication.
Client authentication interceptor SPI optional Intercept client authentication success and error events for logging, reporting, audit and other purposes.
Client secret store codec SPI optional Hash or encrypt client secrets before persisting them to storage. Support import encoded secrets.