OpenID Connect

Getting Started with oidc-provider

24 July 2017 OpenID Connect

OpenID Connect

oidc-provider is an OpenID Connect provider for node.js, providing us with a secure authentication mechanism for our applications, and protection for our APIs. In this article, we’re going to walk through setting up oidc-provider and interacting with it using a couple of different ways.

Why oidc-provider?

It’s a Certified OpenID Provider Library and it’s a framework, unlike some providers which you can only mount and then modify select areas. Whilst this can be good for ensuring expected behaviour (you may be less likely to create security flaws or break functionality), it can be infuriating if you need custom logic or even grant types. The library is certified for all 5 OpenID Provider conformance profiles.

Project Setup

If, like me, you are a complete newbie to node.js and express.js, then the below commands are how we setup a new app...

Read more

OpenID Connect Flows

20 January 2015 OpenID Connect Last Updated: 24 July 2017

OpenID Connect

OpenID Connect presents three flows for authentication. These flows dictate how authentication is handled by the OpenID Connect Provider, including what can be sent to client application and how.

Authorization Code Flow

The authorization code flow returns an authorization code (like it says on the tin) that can then be exchanged for an identity token and/or access token. This requires client authentication using a client id and secret to retrieve the tokens from the back end and has the benefit of not exposing tokens to the user agent (i.e. a web browser). This flow allows for long lived access (through the use of refresh tokens). Clients using this flow must be able to...

Read more

OpenID Connect Endpoints

18 January 2015 OpenID Connect Last Updated: 24 July 2017

OpenID Connect

OpenID Connect specifies three core endpoints that must be provided to meet its core specification and three other optional endpoints that aid with automation, discovery and session management.


Authorization Endpoint

Carried across from OAuth, this endpoint authorises access a protected resource. This resource could be the resource owners identity or an API.

This endpoint will require the resource owner to first authenticate (log in) and then give their consent to for you to access their protected resources. Assume that this endpoint will always require interaction with the resource owner...

Read more

OpenID Connect Overview

15 January 2015 OpenID Connect Last Updated: 24 July 2017

OpenID Connect

Much to everyone's disappointment, OAuth 2.0 is not an authentication protocol. Instead, it is a protocol for protecting resources, where that resource is an API, and allowing a client application to access it on the owner's behalf. It is an authorization protocol. Better still, it is a delegation protocol.

Over the years a lot of people have tried to turn OAuth into an authentication protocol or bend the protocol to their will, which is why we have so many different providers, each with their own implementation depending on their view on the universe. Unsurprisingly if you look at the list of top OAuth providers it is eerily similar to the list of organisations who have been hacked in recent years. Creating your own authentication protocol is no simple task...

OpenID Connect 1.0 extends the OAuth protocol and introduces a new protected resource type: identity. This allows you to...

Read more