Welcome to OpenID Connect
What is OpenID Connect?
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.
See http://openid.net/connect/faq/ for a set of answers to Frequently Asked Questions about OpenID Connect.
译文:
OpenID Connect(目前版本是1.0)是OAuth 2.0协议之上的简单身份层, 它允许客户端根据授权服务器执行的身份验证来验证最终用户的身份,以及以可互操作和类似REST的方式获取有关最终用户的基本配置文件信息。它支持包括Web、移动、JavaScript在内的所有客户端类型;它是可扩展的协议,允许你使用某些可选功能,如身份数据加密、OpenID提供商发现、会话管理。
含义:
OIDC是OpenID Connect的简称,OIDC=(Identity, Authentication) + OAuth 2.0。它在OAuth2上构建了一个身份层,是一个基于OAuth2协议的身份认证标准协议。我们都知道OAuth2是一个授权协议,它无法提供完善的身份认证功能(关于这一点请参考[认证授权] 3.基于OAuth2的认证(译)),OIDC使用OAuth2的授权服务器来为第三方客户端提供用户的身份认证,并把对应的身份认证信息传递给客户端,且可以适用于各种类型的客户端(比如服务端应用,移动APP,JS应用),且完全兼容OAuth2,也就是说你搭建了一个OIDC的服务后,也可以当作一个OAuth2的服务来用。
How is OpenID Connect different than OpenID 2.0?
OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly, and usable by native and mobile applications. OpenID Connect defines optional mechanisms for robust signing and encryption. Whereas integration of OAuth 1.0a and OpenID 2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.
译文:
OpenID Connect完成很多与OpenID 2.0相同的任务,是API-friendly,定义了可选的签名和加密的机制;OAuth 1.0a和OpenID 2.0的集成需要扩展,而OpenID Connect协议本身就建立在OAuth 2.0之上
专业词汇
1. Relying Party(RP):依赖方,通常是第三方应用程序(客户端)
2. OpenID Provider(OP):OpenID 提供方,通常是一个 OpenID 认证服务器,它能为依赖方提供断言以证实用户拥有某个标识
3. End-User(EU):终端用户,指持有账号的人
Specification Organization (OpenID Connect协议构成)
The OpenID Connect 1.0 specification consists of these documents:(OpenID Connect 1.0规范包含以下文档:)
- Core – Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of Claims to communicate information about the End-User
- Discovery – (Optional) Defines how Clients dynamically discover information about OpenID Providers
- Dynamic Registration – (Optional) Defines how clients dynamically register with OpenID Providers
- OAuth 2.0 Multiple Response Types – Defines several specific new OAuth 2.0 response types
- OAuth 2.0 Form Post Response Mode – (Optional) Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST
- Session Management – (Optional) Defines how to manage OpenID Connect sessions, including postMessage-based logout and RP-initiated logout functionality
- Front-Channel Logout – (Optional) Defines a front-channel logout mechanism that does not use an OP iframe on RP pages
- Back-Channel Logout – (Optional) Defines a logout mechanism that uses direct back-channel communication between the OP and RPs being logged out
译文:
- Core – 定义核心OpenID Connect功能:基于OAuth 2.0构建的身份验证以及使用声明来传达有关最终用户的信息
- Discovery –(可选)定义客户端如何动态发现有关OpenID提供程序的信息
- Dynamic Registration –(可选)定义客户端如何动态注册OpenID提供程序
- OAuth 2.0 Multiple Response Types – 定义几个特定的新OAuth 2.0响应类型
- OAuth 2.0 Form Post Response Mode – (可选)定义如何使用用户代理,使用HTTP POST自动提交的HTML表单值返回OAuth 2.0授权响应参数(包括OpenID Connect身份验证响应参数)
- Session Management – (可选)定义如何管理OpenID Connect会话,包括基于postMessage的注销和RP启动的注销功能
- Front-Channel Logout – (可选)定义在RP页面上不使用OP iframe的前端通道注销机制
- Back-Channel Logout – (可选)定义注销机制,该机制使用正在注销的OP和RP之间的直接反向通道通信
Two implementer’s guides are also available to serve as self-contained references for implementers of basic Web-based Relying Parties:(两个基于Web的RPs的独立参考指南:)
- Basic Client Implementer’s Guide – Simple subset of the Core functionality for a web-based Relying Party using the OAuth code flow
- Implicit Client Implementer’s Guide – Simple subset of the Core functionality for a web-based Relying Party using the OAuth implicit flow
A protocol migration specification has been finalized:(协议迁移规范)
- OpenID 2.0 to OpenID Connect Migration 1.0 – Defines how to migrate from OpenID 2.0 to OpenID Connect
Finally, the OpenID Connect working group has started this new work:(OpenID Connect 工作组已启动新的工作计划:)
- OpenID Connect Profile for SCIM Services – (Optional) Defines how sets of OPs and RPs can establish trust by utilizing a Federation Operator
- OpenID Connect Federation – (Optional) Defines how to use SCIM with OpenID Connect
The OpenID Connect specifications, implementer’s guides, and specifications they are built upon are shown in the diagram below. Click on the boxes in the diagram to view the specification.
(OpenID Connect规范,实施者指南和构建它们的规范如下图所示。 单击图中的框以查看规范。需要图片链接请打开原文图片:https://openid.net/connect/)
OpenID Connect Spec Map
Participation in the Working Group
The easiest way to monitor progress on the OpenID Connect 1.0 Specification is to join the mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab.
Please note that while anyone can join the mailing list as a read-only recipient, posting to the mailing list or contributing to the specifications requires the submission of an IPR Agreement. More information is available at http://openid.net/intellectual-property. Make sure to specify the working group as “OpenID AB/Connect”, because this group is a merged working group and both names must be specified.
For more details on participating, see the OpenID Connect Working Group Page.
Implementations
The Libraries page lists libraries that implement OpenID Connect and related specifications.
Interop Testing
Interop testing for OpenID Connect implementations is under way. If you are interested in participating in the interop activities, join the OpenID Connect Interop mailing list.
Status
Final OpenID Connect specifications were launched on February 26, 2014.
The certification program for OpenID Connect was launched on April 22, 2015.
Final OAuth 2.0 Form Post Response Mode Specification was approved on April 27, 2015.
OpenID Certification for RPs was made available to all in August 2017.
Implementer’s Draft of OpenID Connect Federation Specification Approved on August 7, 2018.
参考文章:
https://openid.net/connect/ ----------- OpenId Connect官方文档
http://www.cnblogs.com/linianhui/p/openid-connect-core.html#auto_id_0 --------OIDC(OpenId Connect)身份认证授权(核心部分)
最佳实践---阿里云API网关的OIDC认证
https://help.aliyun.com/document_detail/48019.html