OpenID Connect

From VZ Developer Wiki
Jump to: navigation, search

OpenID Connect is an emerging protocol to allow sites to simply register and login users with the help of an external identity provider (here VZ) which is based on OAuth2. You can find more information on OpenID Connect at http://openidconnect.com/.

Currently we use the current draft for our Connect solution without any of the mentioned discovery possibilities.

Note: Since OpenID Connect is still work in progress, the specification may change in some parts in the future. With a small delay we will implement these changes in the specification as well, while trying to stay backwards compatible for a while. We will announce any changes via Twitter (http://twitter.com/VZ_API_NEWS) and a Newsletter you will receive if you signed up for a VZ Developer account. So if you want to use OpenID Connect, you should look out for these announcements and plan for changes in your API client accordingly.

To turn an OAuth 2.0 request into an OpenID Connect request, simply include "openid" as one of the requested scopes. See OAuth2 for a detailed description on the possible flows and client profiles.

When the "openid" scope is given we will return the following additional data of the authorizing user while returning the access token:

  • user_id: URL to a Portable Contacts endpoint which can be accessed with the access token
  • issued_at: timestamp
  • signature: base64 encoded HMAC-SHA256 with the key being the client Secret and the text being the access token, issued at, and user identifier.

You can verify this with e.g.:

$baseString = $access_token . $issued_at . $user_id . $expires_in;
$signature = base64_encode(hash_hmac('sha1', $baseString, $consumerSecret, true));;
if ($signature !== $retrievedSignature) {
    throw new Exception('invalid signature');
}

Verifying the signature is especially important if you are using the OAuth2 UserAgent Flow to prevent attackers from changing the user identifier through a faked cookie or Ajax call (depending on the method you are using to transport user identifier and access token from your JavaScript client to your backend).