OpenID Connect

In this article

    To understand how OpenID Connect (OIDC) works, we’ll review basic concepts such as participants, identity tokens, claims and scopes, and endpoints.

    Open ID Connect is a thin layer that sits on top of the OAuth 2.0 protocol. It extends OAuth so that online applications can get identity information and retrieve details about the authentication event.

    • OIDC enables clients to verify the identity of a (human) user based on the authentication done by an authorization server
    • OIDC allows federated single sign-on to the application, with an exception
    • OIDC is required because OAuth provides authorization only, not authentication

    OpenID Connect

    OICD terminology
    SuperOffice term Role OpenID Connect term
    Tenant end user Resource owner Resource owner
    SuperOffice SuperID Identity provider OAuth 2.0 authorization server
    Partner application Relying party OAuth 2.0 client

    OpenID Connect terminology

    User

    This is the tenant user for whom we are requesting identity information. Also known as the OAuth resource owner. One of the resources they own is their own identity.

    Client

    This is your application. It relies on the identity provider to authenticate users and request claims about that user. Also known as the relying party.

    Identity provider (IdP)

    This is the OAuth 2.0 authorization server:

    • offers authentication as a service
    • ensures the user is authenticated
    • provides claims about the user and the authentication event to the relying party
    • has multiple endpoints

    Identity token

    JSON web token (JWT) that contains claims about the authentication event. 

     

    Unable to authenticate inside an iframe with IdP

    If you embed your application as a web panel in SuperOffice, your application runs inside an iframe. The security model prevents loading the sign-in page of any registered identity provider inside an iframe to defend against clickjacking.

    This means that your web-panel application will stop working when a customer switches from basic username-password authentication to an identity provider.

    If you get the following error, it could be caused by the iframe restriction:

    SuperOffice.Exceptions.SoSessionException: Authentication failed! ---> System.NullReferenceException: Object reference not set to an instance of an object.
at SuperOffice.SoContext.Authenticate(SecurityToken[] tokens)

    It could also be that your users see the input fields for user credentials but are unable to type into them. In other words, the authentication simply stops responding.

    We recommend that you handle this proactively and do the authentication in a pop-up dialog. We are exploring other options.