Cloud Access Manager 8.1.4 - How To Develop OpenID Connect Apps

OpenID Connect ID Token

As a result of a successful authentication request, the OpenID Provider returns an ID Token in the form of a JSON Web Token, the specification for the JSON Web Token format can be found online at https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32. The ID Token contains claims about the authentication of an end-user as follows:

iss

Issuer. A URL that identifies the OP.

sub

Subject. Uniquely identifies the end-user

aud

Audience. Contains the OAuth 2.0 client_id of the Relying Party.

exp

Expiration time. Set by Cloud Access Manager by adding 30 minutes to the time the ID token was issued.

iat

Time at which the ID Token was issued.

auth_time

Time when the end-user authentication occurred.

nonce

If a nonce is present in the authentication request, the same value will be echoed to the client in this claim. The nonce value can be used by the client to mitigate replay attacks.

acr

Not returned.

amr

Not returned.

azp

Not returned.

OpenID Connect Token signing

OpenID Connect requires that the ID Token must be digitally signed. Cloud Access Manager offers two ways to sign the ID Token. You can sign the ID Token:

  • Using HMAC SHA-256 with an automatically-generated pseudo-random shared secret
  • Using RSA SHA-1 with a private key from a self-signed X.509 certificate

OAuth v2.0 and OpenID Connect response types

Cloud Access Manager supports the following response types:

Table 3: Supported response types
Response_type Meaning Comments
code OAuth v2.0 authorization code flow  
token OAuth v2.0 implicit flow Not used by OpenID Connect (no ID token returned)
id_token OpenID Connect implicit flow No access token returned. Claims are included in the ID Token
token id_token OpenID Connect implicit flow Claims are accessed by invoking UserInfo endpoint

Obtain claims from Cloud Access Manager

Cloud Access Manager does not use the scope values contained in the authentication request to determine what claims are to be returned. Instead, it returns the claims defined by the application configuration’s claim mappings. Thus the client cannot control what claims are returned to it.

Related Documents