Beginner's Guide to OIDC Authentication

What Is OIDC Authentication? 

OIDC, also known as OpenID Connect, is an authentication protocol built on the OAuth 2.0 family of specifications. It utilizes JSON (JavaScript Object Notation) and is designed to authenticate end-users. OIDC provides clients with a secure way to verify the identity of users based on the authentication performed by an authorization server. It also obtains basic profile information about the user in an interoperable and REST-like manner.

In layman's terms, OIDC authentication verifies a user's identity after logging into an application. It essentially answers the question, "Who is this user?" This is achieved by providing a set of standard ways to communicate both authentication and user information.

OIDC Core Terminology 

To fully understand OIDC authentication, it's crucial to familiarize yourself with some core terminology. This includes tokens, claims, and scopes.

Tokens

In the context of OIDC Authentication, a token is a cryptographically signed piece of information issued by the OpenID Provider. It can be used by a client to make authorized API requests on behalf of the user. There are three types of tokens: ID Tokens, Access Tokens, and Refresh Tokens.

ID Tokens are JSON Web Tokens (JWT) that contain claims about the authentication of an end-user by an authorization server. Access Tokens are credentials used to access protected resources. Lastly, Refresh Tokens are credentials used to obtain access tokens.

Claims

Claims are pieces of information asserted about a user and are represented as key-value pairs. They are packaged in a token and can include details such as the user's name, email, and more. The OpenID specification defines a set of standard claims, but additional claims can be defined by applications as required.

Scopes

Scopes in OIDC Authentication are strings that specify what access privileges are being requested. They essentially determine the set of user information or permissions that an application is requesting. Standard scopes include openid, profile, email, among others.

High-Level Overview of the OIDC Authentication Flow 

Now that we've covered the basic terminology, let's take a look at the overall OIDC Authentication flow: 

1. The process begins when the client (an application requiring user authentication) sends an authentication request to the OpenID Provider (OP).

2. Upon receiving the request, the OP authenticates the user. This could involve prompting the user for credentials or using existing session information if the user is already logged in. 

3. Once the user is authenticated, the OP sends an ID token and an Access Token back to the client.

4. The client can then parse and validate the ID token to obtain the user's information. The Access Token can be used to access protected resources.

What Is an OpenID Connect Provider? 

An OpenID Connect Provider (OP) is a service that allows users to authenticate using OIDC. The OP is responsible for managing user identities and issuing tokens to clients.

There are many OPs out there, including Google, Microsoft, and Auth0. When choosing an OP, it's important to consider factors like ease of use, compliance with OIDC standards, and the security measures the provider has in place.

Best Practices to Implement OIDC Authentication 

Use Secure and Tested Libraries

The first step in implementing OIDC authentication is to select a library that will handle the heavy lifting for you. It’s always best to use a library that has been thoroughly vetted by the community. These libraries have been tested for various security vulnerabilities and are regularly updated to patch any identified issues.

When choosing a library, look for one that is widely used and maintained by a reputable organization. Libraries like oidc-client (for JavaScript) and IdentityModel.OidcClient (for .NET) are excellent choices. They are widely used, highly rated, and have a long track record of providing secure OIDC functionality.

Store Secrets Securely

When you register your application with an OIDC provider, you're usually given a client ID and a client secret. These are critical pieces of information that must be stored securely.

Handling secrets in a secure manner is a challenge that developers often face. It's not uncommon to see secrets hardcoded in the source code or stored in configuration files that are accidentally checked into version control. To avoid such pitfalls, use secret management tools such as HashiCorp Vault. These tools not only provide a secure place to store your secrets but also offer features like automatic rotation of secrets.

Validate All Tokens

OIDC authentication is based on tokens. When a user logs in, they're issued an ID token and an access token. The ID token contains information about the user, while the access token is used to access protected resources.

It's crucial to validate these tokens before using them. This includes checking the signature to ensure the token was issued by a trusted authority, verifying the issuer and audience to make sure they match your expectations, and checking the expiration time to ensure the token hasn't expired.

Use Authorization Code Flow with PKCE

In OIDC, there are multiple flows you can use, including Implicit Flow, Authorization Code Flow, and Hybrid Flow. However, it is usually recommended to use Authorization Code Flow with Proof Key for Code Exchange (PKCE).

Authorization Code Flow with PKCE provides a high level of security, making it suitable for all types of applications, including web applications, mobile applications, and even desktop applications. It mitigates several attack vectors, including the Authorization Code Interception attack.

Validate Redirect URIs

When a user attempts to log in, the OIDC provider redirects them to a specified URI after they've authenticated. It's essential to validate these redirect URIs to prevent unauthorized redirection.

This means only allowing redirection to URIs that you know and trust. Any attempt to redirect to an unknown or untrusted URI should be blocked. This can prevent attacks where an attacker tries to steal your tokens by redirecting users to a malicious site.

Conclusion

In conclusion, OpenID Connect (OIDC) authentication offers a secure framework for authenticating users and accessing their profile information across various applications and services. By understanding the core concepts such as tokens, claims, and scopes, and following the high-level authentication flow, developers can integrate OIDC into their applications to enhance security and user experience. 

Choosing the right OpenID Connect Provider (OP) and adhering to best practices, such as using secure libraries, securely storing secrets, validating tokens, opting for Authorization Code Flow with PKCE, and validating redirect URIs, are crucial steps in implementing OIDC authentication effectively. With these guidelines, you can ensure that your application not only provides a seamless user authentication experience but also maintains high standards of security and data integrity.