How does OpenIdConnect work

OpenId is the protocol to negotiate authentication and get back an access token that your app can verify comes from your OpenId authority so that you may trust the information in the ticket - like the user-email maybe - or some claim that the user is admin or the like.

OpenIdConnect is a standard built on top of OpenId that makes setup much easier.

Even if every OpenId Authority has its own naming on endpoints, etc - they can explain what their own way is in the OpenIdConnect contract:

https://<OpenIdAuthority>/.well-known/openid-configuration

For AzureAD, this is: https://login.microsoftonline.com/{tennantid}/.well-known/openid-configuration

Debugging

If you have setup issues and need to debug where the issue lies, this is a great way:

https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/app-aad-token

You can use the browser to mimic the calls that will be done. The first call to the OpenIdConnect authority is to get a "one-time" code. The Authority will respond with a redirect to the callback URL WITH AN APPENDED code.

It is this code you use to get the AccessToken.

2020-09-13 11h46 55.png

This is what we write to the Turnkey log regarding the OpenIdConnect flow:


          Notifications = new OpenIdConnectAuthenticationNotifications 
          {
            AuthenticationFailed = context =>
            {
              Common.CentralLogging("OpenId AuthenticationFailed " + context.Exception.Message);
...
            },
            AuthorizationCodeReceived = context =>
            {

              Common.CentralLogging("OpenId AuthorizationCodeReceived0 ");
              Common.CentralLogging("OpenId AuthorizationCodeReceived1 " + context.Code);
              Common.CentralLogging("OpenId AuthorizationCodeReceived2 " + context.Code + " " + context.AuthenticationTicket.Identity.GetUserName());
...
            },
            SecurityTokenValidated = context =>
            {
              Common.CentralLogging("OpenId SecurityTokenValidated " + context.Options.Description);
...
            },
            RedirectToIdentityProvider = context =>
            {
              Common.CentralLogging("OpenId RedirectToIdentityProvider1 " + context.Options.RedirectUri);
              Common.CentralLogging("OpenId RedirectToIdentityProvider2 " + context.Options.ResponseType);
...
            },
            SecurityTokenReceived = context =>
            {
              Common.CentralLogging("OpenId SecurityTokenReceived ");
...
            },
            MessageReceived = context =>
            {
              Common.CentralLogging("OpenId MessageReceived ");
...
            }
          }
        };

Findings

Usually, you register a callback URL to where you want to end up after successful login. The IdentityProvider(IDP) will send an answer to the calling page with a redirect back to us using this URL, but with appended ?code=xxxx. However, if the request from the IDP lacks a referrer or other details, the middleware will not understand that this is the call that is the callback from the IDP for a login request. To help the middleware understand that the callback really is a login request and should be treated as such, you can send in a redirect URL ending with /signin-oidc - this way the middleware cannot miss what it is supposed to do.

This page was edited 150 days ago on 06/17/2024. What links here