OIDC (OpenID Connect)

What is OIDC?

OIDC (OpenID Connect) is an identity layer on top of the OAuth 2.0 protocol, used for authentication and authorization. It allows applications to verify the identity of users and obtain basic profile information.

  1. OAuth 2.0 Protocol: OIDC builds on OAuth 2.0, which is a framework for token-based authorization.

  2. Identity Provider (IdP): The service that authenticates the user and issues tokens. In our case, Hideez Identity Cloud is an Identity Provider.

  3. Client/Application: The application that the user wants to access, which relies on the Hideez Identity Cloud to authenticate the user.

How does OIDC work?

  1. User Requests Access: The user tries to access an application (the Client).

  2. Client Redirects to Hideez Identity Cloud: The application redirects the user to the identity provider for authentication.

  3. User Authenticates: The user logs in at the Hideez Identity Cloud.

  4. Hideez Identity Cloud Issues Tokens: Upon successful authentication, the cloud server an ID token, access token, and optionally a refresh token to the client.

  5. Client Uses ID Token: The application uses the ID token to verify the user's identity and obtain profile information.

Tokens:

  • ID Token: Contains information about the user (e.g., user ID, name, email) and is used to verify the user's identity.

  • Access Token: Used to access protected resources and APIs on behalf of the user.

  • Refresh Token: Used to obtain new access tokens without requiring the user to log in again.

OIDC is widely used for enabling single sign-on (SSO) and is designed to be simple, RESTful, and interoperable across various platforms and applications. It enhances user experience by providing a consistent login process and simplifies application development by handling user authentication through standardized tokens.

Configuring application as Client for OIDC (OpenID Connect)

  • Login to the Hideez Identity Cloud.

  • Go to Integration → OIDC→Create Client.

  • Here, you can fill in the necessary data about your Service Provider (Client):

Creation of Client

Name

The name of the client. This field is mandatory and is used to identify the OIDC client being created.

Client Id

The unique identifier for the client. It is created automatically and is used to identify the client application to the authorization server.

Client Secret

A secret key generated automatically for the client. It is used to authenticate the client application to the authorization server.

Redirect Uri

The URL to which the authorization server will send the user after they have authorized the client. This field is mandatory.

Post Logout Redirect Uri

The URL to which the user will be redirected after they log out from the application. This field is optional.

Proof Key for Code Exchange (PKCE)

A checkbox to enable PKCE (Proof Key for Code Exchange) for additional security. PKCE is used to mitigate authorization code interception attacks. When this box is checked, PKCE is required as an additional verification step.

PreviousConfiguration of SAML 2.0 for Google WorkspaceNextConfiguration of Hideez Cloud as an External Authentication Method for Microsoft Entra ID via OIDC

Last updated