OpenID Connect

OpenID Connect is a standard that is built on top of Oauth 2.0. It provides support for user authentication, and allows clients to obtain user identity attributes in an interoperable manner and to manage multiple sessions. It is intended to be a lightweight, modern, JSON-based alternative for SAML.

The OpenID Connect specification defines a Relying Party (RP) as an OAuth 2.0 client that requires user authentication, and an OpenID Provider (OP) as an OAuth 2.0 authentication server that performs this authentication. After a successful authentication, the OpenID provider issues an ID token. The ID token is a JWT-compliant JSON object that contains a set of claims, which are user identity attributes.

The OneWelcome Identity Platform acts as an OpenID provider that manages the ID tokens and authentication process. However, the OneWelcome Identity Platform does not manage the identity by itself. The actual authentication is delegated to an identity provider.

Discovery API

The OneWelcome Identity Platform implements OpenID Connect Discovery, which enables a relying party to determine the capabilities of the OpenID provider at runtime. See the Discovery API.

User info API

The OneWelcome Identity Platform exposes claims using the user info endpoint. See the User info API.

JSON Web Key Set

The OneWelcome Identity Platform exposes keys that are used for calculating the digital signature of the ID Token using the JSON Web Key Set (JWKS) endpoint.

ID token encryption (JSON Web Encryption)

The ID token can be encrypted to hide sensitive claims. By default, this feature is turned off. See ID token encryption.

Session management

The OneWelcome Identity Platform supports session management. See session management.