How does an OpenID Provider authenticates an end-user?
OpenID Connect 1.0 enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server and provides claims in exchange for an access token. The access token is provided to /user_info or /me endpoint to get the requested claims in return.
The section 3.1.2.3 of OpenID Connect 1.0 spec explains the process of authenticating an end-user. However, it clearly states
The methods used by the Authorization Server to Authenticate the End-User (e.g. username and password, session cookies, etc.) are beyond the scope of this specification.
The implementation of these methods is precisely my question. Plus, the OAuth2.0 specification doesn't provide any info on the implementation as well.
The doubts I've is how do we authenticate an end-user? The probable cases I could think of are:
- We keep some user's data like its profile info, username, password on Authorization server and other user-related information on the Resource Server.
- We keep everything on the Resource server and validate the user's credentials by sending a
POSTrequest along with user's credentials to an internal rest API on the resource server. - Authorization and Resource server share the same DB instance, and hence no API calls.
I know the implementation will differ from one OpenID Provider to others but I want to know if these are even approaches that any OpenID Provider follows?
In some cases, the authorization and resource server can be the same, in which case sharing the database instance will become easy. But what happens in case of the servers being two different machines.
Let's say if I'm trying to write my own implementation of OpenId Connect. What suggestions would you give me to authenticate the end-users?
I tried to go through the codebase of node-oidc-provider library but the library doesn't authenticate the user and skips that part. It'd be of great help if anyone could provide any pointers on this. What should be the best practice? What methods any other OpenID Provider is using?
As you can see from the helpful image, from the article about OpenId/OAuth 2.0 architecture from article by Takahiko Kawasaki @ Medium
There is a reason the authenetication mechanisms are explicitly stated to be out of scope, as authentication and its requirements are implemented by completely separate means. It can be done by absolutely any kind of authentication mechanism you choose, the only requirement is for authentication to implement proper responses to OpenID/OAuth requests.
Let's say you want to have a page authenticate against your Active Directory. All you have to do is extend existing Active Directory system with proper OAuth and OpenID plugins (assuming there are such), configure them, and after these protocols are available for authentication and authorization, you can specify your AD as OpenID/OAuth provider to whoever is prepared to accept them.
Back in early OpenID days, the first time sites such as LiveJournal allowed arbitrary OpenID providers to authenticate against, for testing the idea, I made a mock OpenID page on my hobby webserver, which just had enough OpenID support to authenticate the single user against the password I manually specified there. Worked all right, but would be probably quite an extreme example. These days it is easier to use Google OpenID connect or similar to have centralized profile management.
The question where to store authorization information is again quite nebulous, but it generally would make senses to be stored somewhere near the used authentication mechanism, as you are using this authentication mechanism to give authorization, so it makes sense that you keep track of what you have authorized using this particular authentication.
Note that OAuth is letting the authenticated user to be in driver seat, which is generally the case for public webapps.
In case of a non-public resource, it might frequently be the case that resource holders would only subscribe to OpenID or other federated identity provision, but would themselves decide which resources the user can access, based on where he comes from and/or who he is in the particular identity scheme.
An example would be university A library system, which might allow logins of university's B students, based on B's federated identity auth server, but not give them the same rights to A library as to its own students authenticade by universisty A authentication system.
- Endpoints Resolution Error - OAuth v2 Azure - msal-node
- Should you confirm email addresses obtained from external login providers?
- Spring + Vue + OAuth2 - CORS Missing Allow Origin
- Is there a way to keep oauth2 token for infinite time?
- Google service account OAUTH2 SMTP "555-5.5.2 Syntax error"
- Pagination with oauth azure data factory
- Client Credentials Flow for Azure DevOps
- Best Practices for Associating userId (from JWT) with Google OAuth Tokens
- Is a Secure Oauth2 Web App Flow with FE and BE the right approach?
- Get a 3-Legged Token with Authorization Code Grant (PKCE) for Public Clients
- Azure arc agent error "Missing Basic Authorization header"
- Differentiate the scripts that obtain an access token using the Client Credentials Grant type
- keycloak token introspection always fails with {"active":false}
- Access to fetch at https://accounts.google.com/o/oauth2/v2/auth has been blocked by CORS
- Role-based authentication not working with Keycloak and Java Spring
- Fetching Docusign Returns Invalid Grant In Code But Works Fine In Postman
- What If Session Expires While User Is Still On The Website
- Remix run: Authentication succeeds on validation failures
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Using two or more SecurityFilterChains with Spring Security 6 does not work properly, only one chain is invoked
- What is the purpose of the 'state' parameter in OAuth authorization request
- OAuth 2.0 Single Client Configuration for Web and Mobile Applications
- OAuth 2 access_token vs OpenId Connect id_token
- Spring Security - Multiple OAuth2 Identity providers (github and google) work with only one Bean with @Prirmary?
- Error in oAuth2 Google APIs - invalid_request "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy"
- MSAL Node service & The Partner Center API
- How to change the app name for Firebase authentication (what the user sees)
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
- Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?