Claims source SPI

1. OpenID Connect claims

OpenID Connect permits client applications to retrieve claims, or assertions, about the end-user upon successful login and consent. The client can receive the claims in two different ways — from the protected UserInfo endpoint (requires an acess token), or included in the issued ID token.

Example claims about a logged-in user:

  "sub"         : "248289761001",
  "name"        : "Jane Doe",
  "given_name"  : "Jane",
  "family_name" : "Doe",
  "email"       : "[email protected]",
  "picture"     : ""

2. Claims source SPI

The Connect2id server comes with a Java Service Provider Interface (SPI) for collecting claims from one or more arbitrary data sources, such as

  • Active Directory / LDAP (supported out-of-the-box)
  • SQL and NoSQL databases
  • SCIM web service
  • HR system

The claims source SPI is defined in the Connect2id server toolkit, which you may use to create your own connectors:

Features of the claims source SPI:

  • Supports initialisation of the claims source from some configuration file.

  • Provides a method to let the Connect2id server discover what claims the
    source supports.

  • Can handle language tags (BCP47).

  • Enables implementations to release resources on Connect2id server shutdown.

3. Available claim source connectors

Connect2id provides two ready connectors for sourcing claims. Their code is open (Apache 2.0 licensed), and we encourage you to use them as an example when building your own claims sourcing.

3.1 LDAP

An LDAP / Active Directory connector is included in Connect2id server package. Check out its configuration manual for more details.

Git repo:

3.2 HTTP endpoint

This connector sources claims from a protected HTTP endpoint using simple JSON over POST. It is useful when you want to delegate sourcing to a web service, or when you don’t want to implement the claims sourcing in Java.

4. Receiving support

Our Connect2id support team is available if you need help with integrating a particular claims source.