Supported OpenID Connect specifications
The OpenID Connect specifications or standards that are supported are:
- OpenID Connect Core.
Authentication built upon OAuth 2.0 that uses attributes (claims) to gather
information about the user. These authentication flows are supported as part of this
- Authorization Code Flow. In this flow, an authorization code is delivered at one of the redirect URI endpoints that you or an administrator configures for the client. This code is exchanged for an access token and an ID token at the token endpoint. All transactions between the client (SaaS application) and the OpenID provider use transport layer security (TLS). As a result, the OpenID provider authenticates the client with a client ID and secret before delivering tokens. These tokens are also never exposed to the agent (web browser). This authentication flow is considered the most secure.
- Implicit Flow. In this flow, access tokens and ID tokens are returned to the client (SaaS application) without the OpenID provider authenticating the client (SaaS application). The redirect URI is used to confirm client identity.
- OpenID Connect Discovery. Process for discovering endpoints on the OP through the discovery metadata URL.
- OpenID Connect Session Management 1.0. Defines how to monitor an end user’s session and determines when the end user is logged out. For example, if the end user is logged out of OP, the end user must also be logged out of the application (relying party).
- OpenID Connect Front-Channel Logout 1.0. Sends logout requests through a user agent from the OpenID provider to the application (relying party).
- Request for Comment (RFC) 7636. Uses Proof Key for Code Exchange (PKCE) to generate a random code value for each authentication transaction in case code values are intercepted.
Currently, these optional OpenID Connect specifications are not supported:
- Refresh Tokens
- Offline Access
- Claims Locales
For more details about OpenID Connect specification, see OpenID Connect specification.
For more details about OAuth 2.0 specification, see OAuth 2.0 specification.