Skip to content
Connect2id

Integration

The Connect2id server comes with interfaces to link data sources, create customised user journeys and plug application-specific authorisation logic. The interfaces can be:

  • Web interfaces – REST and JSON-based, for front-end integration or easy connectivity to web services.
  • Java Service Provider Interfaces (SPI) – Native Java-based plugins for efficiency and performance. The plugins can implement web hooks to services.

To run your own OpenID Connect provider / OAuth 2.0 server you only need to link a user authentication source and UI via the authorisation session web API. The remaining integration points are optional.

Interface Type Requirement Purpose
Authorisation session web required Integrate your branded login page (UI), your subject (end-user) authentication methods and your business / authorisation logic for setting the claims and scopes of the issued ID and access tokens.
Logout session web optional Integrate a logout page (UI) for receiving end-session requests from OpenID applications as well as internal IdP services.
Direct authorisation web optional Create SSO sessions and obtain ID / access tokens directly, without any end-user interaction. Can be used to federate external identity providers, such as business partners and social logins from Facebook, Twitter, etc.
Authorisation store web optional Query, update and revoke issued OAuth 2.0 / OpenID Connect authorisations as well as associated access and refresh tokens.
Subject session store web optional Query, access and manage the SSO sessions of subjects (end-users) with the Connect2id server.
Key store web optional Inspect, generate, rotate and revoke Connect2id server keys.
Security Token Service (STS) web optional Request issue of JAR and private_key_jwt JWTs when the Connect2id server acts an OAuth 2.0 client / OpenID relying party.
Monitoring web optional Obtain server usage and performance metrics, run health-checks.
Configuration check web optional Validate a Connect2id server configuration before applying it.
Tenants registry web optional Manage Connect2id server tenants (multitenant edition only)
Claims source SPI required Integrate OpenID Connect claims sources, such as LDAP directories, SQL databases and HR management systems.
Password grant handler SPI optional Plug in logic for handling OAuth 2.0 resource owner password credentials grants.
Client credentials grant handler SPI optional Plug in logic for handling client OAuth 2.0 credentials grants.
JWT bearer assertion grant handler SPI optional Plug in logic for handling client-issued and third-party issued (token service) JWT bearer assertion grants.
SAML 2.0 bearer assertion grant handler SPI optional Plug in logic for handling client-issued and third-party issued (token service) SAML 2.0 bearer assertion grants.
Token exchange grant handler SPI optional Plug in logic for handling token exchange, including impersonation (act-as) and delegation (on-behalf-of) scenarios.
Web SSO eligibility checker SPI optional Plug in logic for additional checks whether an OAuth 2.0 authorisation / OpenID authentication request is eligible for web SSO.
Device SSO handler SPI optional Plug in logic for handling device SSO authorisations by native clients.
Token issue events SPI optional Record or send access and ID token issue events.
Authentication and consent events SPI optional Record or send end-user authentication and authorisation events.
Custom access token encoding and introspection SPI optional Customise access token encoding and introspection responses.
Custom token response SPI optional Customise token success and error responses.
Client registration interceptor SPI optional Intercept HTTP requests at the client registration endpoint to handle software statements and other signed requests.
Client metadata validator SPI optional Carry out additional validation or shaping of OAuth 2.0 client / OpenID relying party registration metadata after the Connect2id server has completed the standard validations.
Authorisation request validator SPI optional Carry out additional validation and optional modification of received authorisation requests.
PAR validator SPI optional Carry out additional validation and optional modification of received Pushed Authorisation Requests (PAR).
Private key JWT certificate verifier SPI optional Verify qualified X.509 certificates for private key JWT client authentication.
Client authentication interceptor SPI optional Intercept client authentication success and error events for logging, reporting, audit and other purposes.
Client secret store codec SPI optional Hash or encrypt client secrets before persisting them to storage. Support import encoded secrets.