Identity Provision with OpenID Connect

UserInfo

Besides asserting the user’s identity with an ID token, the Connect2id server can also release consented information (claims) about the user client apps. The claims can be included in the ID token, or made available for collection at a UserInfo endpoint, in exchange for an OAuth 2.0 access token.

OpenID Connect defines a standard UserInfo schema schema which covers a number of common attributes:

  • The person’s name, in various forms, with optional localisation.

  • Contact details, such as email, phone number and postal address, including their verification status.

  • Profile information, such as home page, picture, birth date and timezone.

The UserInfo schema can be easily extended to supply additional (custom) claims to client apps, such as:

  • User roles and permissions, derived from LDAP group membership or some other data source.

  • Claims derived from analytics and BI.

  • Location-based information.

JSON is the standard format for UserInfo:

{
   "sub"                     : "alice",
   "email"                   : "[email protected]",
   "email_verified"          : true,
   "name"                    : "Alice Adams",
   "phone_number"            : "+359 (99) 100200305",
   "profile"                 : "https://c2id.com/users/alice",
   "https://c2id.com/groups" : [ "audit", "admin" ]
}

Data sources

The Connect2id server provides a powerful API for sourcing OpenID claims from one or multiple locations:

  • Enterprise MS-AD / LDAP directories

  • SQL databases

  • External identity providers

  • Web services

  • On-demand attribute provisioning