OpenID Provider
OpenID Connect is an open standard and decentralized authentication protocol that extends on the OAuth 2.0 authorization framework.
OpenID Connect allows the clients to:
Obtain an OpenID Connect (ID) token to verify the identity, authenticate, and authorize an end user with an authorization server or identity provider.
Use an UserInfo endpoint to retrieve basic profile information, preferences, and other user-specific information.
The OpenID Connect uses JWT as the format of the ID token for exchanging identity and user profile data. The ID token contains a set of claims which contain the information relating to an end user or an application. A claim set consists of zero or more claims represented by the name-value pairs, where the names are strings and the values are arbitrary JSON values.
The claims in an ID token are encoded as a JSON object and used as the payload of a JSON Web Signature (JWS) structure. JWTs can be signed using a shared secret (with HMAC algorithm), or a public or private key pair using RSA. API Gateway uses the RSA-based JWS to provide stronger integrity protection to JWTs.
Important: API Gateway supports OpenID Connect Discovery 1.0.
Structure of OpenID Token
An ID (id_token) token in the JSON Web Token (JWT) format consists of three components. These three components are Base64Url encoded and separated by dots. The ID token can be easily passed in the URL or HTTP Authorization header.
Sample ID Token:
eyJhbGciOiJSUGEzMzlmYzI1NiIsImtpZCI6Ijk5ZDEyODg0OGVkYjE4ZGVkODQyO
GEzMzlmYjFhNjUxZTMwNjcwOTkifQ.eyJhenAiOiIzODk4MDEwNTQyMTAtNHBhOWJ
kZHExaWttYnM4dDM0OWU2cWRibTRuaWVmZ3UuYXBwcy5nb29nbGV1c2VyY29udGVu
dC5jb20iLCJhdWQiOiIzODk4MDEwNTQyMTAtNHBhOWJkZHExaWttYnM4dDM0OWU2c
WRibTRuaWVmZ3UuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMT
Y2NTk2MDg0MjAzNjMzNDY4NzAiLCJlbWFpbCI6InZpbm9sYS5iZXRzeUBnbWFpbC5
jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6IlljT19CYUp6MU5y
b3NBaFVPTWh5ZFEiLCJub25jZSI6IjRiZDQ3M2MzLWFhZDQtNDM5OS1iODhmLTU5O
DFjOGUzOTk0ZSIsImF1dGhfdGltZSI6MTUwMzI5ODE4NywiYW1yIjpbInJiYSJdLC
Jpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJpYXQiOjE1MDMyOTg
xODgsImV4cCI6MTUwMzMwMTc4OCwibmFtZSI6IlZpbm9sYSBKIiwicGljdHVyZSI6
Imh0dHBzOi8vbGg1Lmdvb2dsZXVzZXJjb250ZW50LmNvbS8tSlZ0YXlGRXAwZXcvQ
UFBQUFBQUFBQUkvQUFBQUFBQUFBQUEvQU1wNVZVb0F4RjdtT2x1TDllSmxTdDJ3Rz
l2QjM5aFN3dy9zOTYtYy9waG90by5qcGciLCJnaXZlbl9uYW1lIjoiVmlub2xhIiw
iZmFtaWx5X25hbWUiOiJKIiwibG9jYWxlIjoiZW4if1.pG16c17-BGjDsXL7daool
Myxh1fE2cGIBWGInxonsKBosb1Qx7uGqEmHPGQdB0cWTO6L0nQQ9mVUW-0BvQ6QYF
D7QP8MilhGLNsf8bdgBS_-RL6bJqDGdXmADB8lpe5SjSa8bG9lg82y-c1FGQpyl7J
TRztsMewlxya2VuT5m9aJMSavPFyG6JfU9tdnqkHxQlLTVoe1becJWfpFuudY58e5
wz42Pjmuz5IP_TJRdoK7TbeQ7PrP2Kl18i18fsu4I0R2-IxR5u3YCbGGihMhSrJG2
pTULcCrRTUeT5BjcS2GEzd6yjKQvwLn6dbSndlicWVzT3dEiR1SuN2xkBhyyjQ
Header
Contains the hashing algorithm used, RSA, and a reference identifier to the appropriate public key, kid, if applicable:
Token Value Encoded:
eyJhbGciOiJSUGEzMzlmYzI1NiIsImtpZCI6Ijk5ZDEyODg0OGVkYjE4ZGVkODQyO
GEzMzlmYjFhNjUxZTMwNjcwOTkifQ
Token Value Decoded:
{
"alg": "RS256",
"kid": "99d128848edb18ded80428a339fb1a651e3067099"
}
Payload
Contains the claims relating to the authentication and identification of the client or the user:
Token Value Encoded:
eyJhenAiOiIzODk4MDEwNTQyMTAtNHBhOWJkZHExaWttYnM4dDM0OWU2c
WRibTRuaWVmZ3UuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiIzOD
k4MDEwNTQyMTAtNHBhOWJkZHExaWttYnM4dDM0OWU2cWRibTRuaWVmZ3UuYXBwcy5
nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTY2NTk2MDg0MjAzNjMzNDY4
NzAiLCJlbWFpbCI6InZpbm9sYS5iZXRzeUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZ
mllZCI6dHJ1ZSwiYXRfaGFzaCI6IlljT19CYUp6MU5yb3NBaFVPTWh5ZFEiLCJub2
5jZSI6IjRiZDQ3M2MzLWFhZDQtNDM5OS1iODhmLTU5ODFjOGUzOTk0ZSIsImF1dGh
fdGltZSI6MTUwMzI5ODE4NywiYW1yIjpbInJiYSJdLCJpc3MiOiJodHRwczovL2Fj
Y291bnRzLmdvb2dsZS5jb20iLCJpYXQiOjE1MDMyOTgxODgsImV4cCI6MTUwMzMwM
Tc4OCwibmFtZSI6IlZpbm9sYSBKIiwicGljdHVyZSI6Imh0dHBzOi8vbGg1Lmdvb2
dsZXVzZXJjb250ZW50LmNvbS8tSlZ0YXlGRXAwZXcvQUFBQUFBQUFBQUkvQUFBQUF
BQUFBQUEvQU1wNVZVb0F4RjdtT2x1TDllSmxTdDJ3Rzl2QjM5aFN3dy9zOTYtYy9w
aG90by5qcGciLCJnaXZlbl9uYW1lIjoiVmlub2xhIiwiZmFtaWx5X25hbWUiOiJKI
iwibG9jYWxlIjoiZW4if1
Token Value Decoded:
{
"azp": "389801054210-4pa9bddq1ikmbs8t349e6qdbm4niefgu.apps.googleusercontent.com",
"aud": "389801054210-4pa9bddq1ikmbs8t349e6qdbm4niefgu.apps.googleusercontent.com",
"sub": "116659608420363346870",
"email": "john.chris@sag.com",
"email_verified": true,
"at_hash": "YcO_BaJz1NrosAhUOMhydQ",
"nonce": "4bd473c3-aad4-4399-b88f-5981c8e3994e",
"auth_time": 1503298187,
"amr": [
"rba"
],
"iss": "https://accounts.google.com",
"iat": 1503298188,
"exp": 1503301788,
"name": "John Chris",
"picture": "jc.jpg",
"given_name": "John",
"family_name": "Chris",
"locale": "en"
}
The following claims in the ID token specifies the unique identifying information for the OpenID client:
Claim | Description |
azp | The client_id of the application to which the ID token was issued. This claim value is a case-sensitive. |
aud | Audience for the ID token. |
sub | Username of the end user. |
email | Email address of the user. |
email_verified | Denotes if the email address of the user has been verified. |
at_hash | Denotes if the email address of the user has been verified. |
nonce | This associates a client session with an ID Token. |
auth_time | The time at which the user authentication occurred. |
amr | The authentication method that was used for user authentication. |
iss | Issuer of the ID token. |
iat | The timestamp when the ID token was issued. |
exp | The time on or after which the ID token is set to expire. |
name | Full name of the user. |
picture | The profile picture of the user. |
given_name | First name of the user. |
family_name | Surname or last name of the user. |
locale | The display language of the user interface for user authentication. |
Digital Signature
Contains the Base64url encoded JWS that is constructed using the Header and Payload.
Token Value Encoded:
pG16c17-BGjDsXL7daoolMyxh1fE2cGIBWGInxonsKBosb1Qx7uGqEmH
PGQdB0cWTO6L0nQQ9mVUW-0BvQ6QYFD7QP8MilhGLNsf8bdgBS_-RL6bJqDGdXmAD
B8lpe5SjSa8bG9lg82y-c1FGQpyl7JTRztsMewlxya2VuT5m9aJMSavPFyG6JfU9t
dnqkHxQlLTVoe1becJWfpFuudY58e5wz42Pjmuz5IP_TJRdoK7TbeQ7PrP2Kl18i1
8fsu4I0R2-IxR5u3YCbGGihMhSrJG2pTULcCrRTUeT5BjcS2GEzd6yjKQvwLn6dbS
ndlicWVzT3dEiR1SuN2xkBhyyjQ
Token Value Decoded:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
Sample Userinfo Endpoint
The UserInfo endpoint provided, for example, by Google is located at:
https://www.googleapis.com/oauth2/v3/userinfo
An example HTTP client request to the UserInfo endpoint:
A successful response will return a HTTP 200 OK response and the users claims in JSON format:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"sub": "johnc",
"email": "vinola.betsy@gmail.com",
"email_verified": true,
"name": "Vinola J",
"picture": "jc.jpg",
"given_name": "Vinola",
"family_name": "J",
"nickname": "John"
...[additional claims]...
}
Before the client application can trust the values returned from the UserInfo endpoint, the client must verify that the sub claim returned from the UserInfo endpoint request matches the subject from the id_token.