OpenID Connect Use Cases

Overview[1] #

OpenID Connect, an identity layer on top OAuth, is one of the most important ways that access authorization and information is passed between two parties online. The OAuth 2.0 protocol decides how a client receives a token from a consenting user and then uses that token on an API call.

Paul Madsen of Ping Identity argues that even though OAuth 2.0 passes identity by way of that token’s permissions, the protocol lacks in that it does not withhold useful user information. By layering OpenID Connect on top of OAuth 2.0, the identity semantic comes into play and OAuth 2.0 becomes identity aware, enabling things like single sign-on and personal profile information sharing.

OpenID Connect Key Identity Extensions:

  • UserInfo Endpoint: The OAuth 2.0 protected endpoint that provides user identity attributes, which limits registration form drop-off.
  • ID Tokens: A structured, secure, signed information object that carries information about the user in question, like when they authenticated and how.

How OpenID Connect Enables Native Single Sign-On #

OpenID Connect enables Native Single Sign-On. As Native applications continue to grow in popularity due to their ease of use and ease of distribution, there comes a greater demand for default OAuth 2.0 in native environments. But the burden of managing authentication throughout a sea of various native apps falls on the end user, who must know which login is for which app, which needs to be re-authenticated, among other nuisances.

Forecasts show an increase in native app usage within the foreseeable future. In 2014, 86 percent of time spent on smartphones was spent within native apps, not web browsers. One way to get an edge in this increasingly crowded market is to increase usability with a Single Sign-On for multiple apps published by the same owner. This can be accomplished using OpenID Connect paired with OAuth 2.0.

The process involves the implementation of an Authentication Agent (AZA) which is either an agent installed on the device’s operating system or is it’s own separate mobile app. The mobile device user authorizes the AZA agent to retrieve tokens automatically from other native mobile apps that it’s authorized to use.

This case has an obvious appeal for businesses to enable and control SSO access to certain enterprise-grade applications, for both web and native apps, as well as for bundles of B2C apps that were created by the same brand that wants to give users easy access to them all.

There has been some work by the Native Applications Working Group for Native Single Sign-On and Google open sourced AppAuth for Native application

OpenID Connect enables Native Single Sign-On using:

More Information #

There might be more information for this subject on one of the following: