To understand how OpenID Connect (OIDC) works, we’ll review basic concepts such as participants, identity tokens, claims and scopes, and endpoints.
Open ID Connect is a thin layer that sits on top of the OAuth 2.0 protocol. It extends OAuth so that online applications can get identity information and retrieve details about the authentication event.
- OIDC enables clients to verify the identity of a (human) user based on the authentication done by an authorization server
- OIDC allows federated single sign-on to the application, with an exception
- OIDC is required because OAuth provides authorization only, not authentication
||OpenID Connect term
|Tenant end user
||OAuth 2.0 authorization server
||OAuth 2.0 client
OpenID Connect terminology
This is the tenant user for whom we are requesting identity information. Also known as the OAuth resource owner. One of the resources they own is their own identity.
This is your application. It relies on the identity provider to authenticate users and request claims about that user. Also known as the relying party.
Identity provider (IdP)
This is the OAuth 2.0 authorization server:
- offers authentication as a service
- ensures the user is authenticated
- provides claims about the user and the authentication event to the relying party
- has multiple endpoints
JSON web token (JWT) that contains claims about the authentication event.
Unable to authenticate inside an iframe with IdP
If you embed your application as a web panel in SuperOffice, your application runs inside an iframe. The security model prevents loading the sign-in page of any registered identity provider inside an iframe to defend against clickjacking.
This means that your web-panel application will stop working when a customer switches from basic username-password authentication to an identity provider.
If you get the following error, it could be caused by the iframe restriction:
SuperOffice.Exceptions.SoSessionException: Authentication failed! ---> System.NullReferenceException: Object reference not set to an instance of an object.
at SuperOffice.SoContext.Authenticate(SecurityToken tokens)
It could also be that your users see the input fields for user credentials but are unable to type into them. In other words, the authentication simply stops responding.
We recommend that you handle this proactively and do the authentication in a pop-up dialog. We are exploring other options.