OpenID Connect

OpenID Connect is a simple standardized identity (authentication) layer on top of OAuth 2.0.

Discovery and configuration

All you need to know in order to configure your OpenID Connect client to the Dataporten platform, is available through the discovery endpoint:

Client registration

In order to access the Dataporten APIs, you would first need to register your application, and obtain the OAuth credentials for your application.

You may register your application using the Dataporten Dashboard.

Dataporten Dashboard

When registering a client, you need to know the OpenID Connect redirect URI endpoint of your application.

Scopes

In order to use OpenID Connect you need to have the openid scope. This can be selected in the Dataporten dashboard.

OpenID Connect also defines a few other standard scopes. Of these the profile and email scopes are supported by Dataporten. Depending on your application, these should also be added to your application in the Dataporten dashboard.

OpenID Specifications

Authentication

Dataporten will enable OpenID Connect functionality on the same authorization endpoint as the one used with basic OAuth. At the moment the client is requesting a token with the scope openid.

Supported features

  • Authorization Code flow
    response_mode: code
  • Implicit grant flow
    response_mode: id_token token
  • IDtoken signed with PKI (RS256)

Dynamic registration is not supported.

Login hints - bypassing the login discovery page

The default behaviour when a client sends the end user to Dataporten for authentication is that the user first meets eigther the account chooser or the ID-provider discovery page.

Sometimes the client may want to let the user bypass the discovery page / accountchooser and to a specific ID provider. This is possible by using the OpenID login_hint parameter to the authorization endpoint.

The following prerequisites needs ot be met to use this functionality:

  • The client owner needs to configure the client to not require user interaction. This can be done using Dataporten Developer Dashboard. Uncheck the checkbox «Require user interaction».
  • Consider the security implications of allowing Single Sign-on to automatically login users to your site without user interaction.
  • Make sure that the openid scope is enabled for the client. If not, the request is interpreted as a plain Oauth request, and then the login hint functionality is not supported

The login_hint parameter is sent as part of the authentication request to Dataporten as a query string parameter. The parameter may have one of these values:

feide|all

Automatically send user to Feide login page with no specific organization preselected. Feide will remember if the user has selected an organization previously.

feide|realm|uninett.no

Automatically send user to Feide login page with the specific organization UNINETT. UNINETT will then be preselected in the Feide login page.

feide|realm|uninett.no|andreas@uninett.no

Automatically send user to Feide login page with the specific organization UNINETT. UNINETT will then be preselected in the Feide login page. Also specify which user we exepect to login. If user tries to login with another account the user will get an warning that the user was not expected, but the userID is not enforced beyound that.

idporten

Automatically send user to ID-porten

JWT Signing key

The signing key may be obtained here:

ID Token

The ID token is a signed information object representing the authenticated identity of the user. As part of the OpenID Connect standard the ID token is encoded as a JWT, and signed using the JWS standard.

ID Token example

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvYXV0aC5kZXYuZmVpZGVjb25uZWN0Lm5vIiwiYXVkIjoiNWFjODc1M2YtODI5Ni00MWJmLWI5ODUtNTlkODk3NjkwMDVlIiwic3ViIjoiNzZhN2EwNjEtM2M1NS00MzBkLThlZTAtNmY4MmVjNDI1MDFmIiwiaWF0IjoxNDQ5MDY1NDMyLCJleHAiOjE0NDkwNjkwMzIsImF1dGhfdGltZSI6MTQ0OTA2NTM2NH0.bObvZ_Ampf_exj4iUcocptJwHKt_zZI4GnZ-VrXoqYlXaGGgwACzCzhSpck_z1C87gZYlOdK-TQwILHcGyObmi1rH5VCvrYL1xNyGeHYlYs8bQ8odhZAPiYjb9cet5nP1aP4ZeJu5aInWwLIaeVUgavQEVAl1xGiPRh8WjKZdP-P1WslLACnVZu84YLrOZQYnkGMpDS_VBGHVSK3VPVjRd14vhqYCoGTaKSXrp49LlejU0dzaokmGI_ZAejwVY1BCFMonEyDNwZVZKoq2GbHwqpjhucWOZRQjYzeWTEXlly18EwYg55k6awNPZt8fKp0XoRoTB4we5WGoFV6XZuaGA

ID Token JWT decoded

{
  "iss": "https://auth.dataporten.no",
  "aud": "5ac8753f-8296-41bf-b985-59d89769005e",
  "sub": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
  "iat": 1449065432,
  "exp": 1449069032,
  "auth_time": 1449065364
}

Userinfo

The userinfo endpoint is:

Example of a userinfo response:

GET /openid/userinfo HTTP/1.1
Authorization: Bearer 0f0935c3-a997-40fb-89c2-f7da126ba5d9

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
    "sub": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
    "dataporten-userid_sec": [
        "feide:andreas@uninett.no"
    ],
    "name": "Andreas \u00c5kre Solberg",
    "email": "andreas.solberg@uninett.no",
    "email_verified": true,
    "picture": "https:\/\/api.dataporten.no\/userinfo\/v1\/user\/media\/p:a3019954-902f-45a3-b4ee-bca7b48ab507"
}

The set of information that will be available on the userinfo depends on which scopes the client has authorized and requested in the authorization request.

Client libraries

Even though OpenID Connect is a relatively new technology, there already exist libraries in most programming languages.

We are interested in feedback on your experience with various client libraries, on how well they work with Dataporten.