OpenID Connect concepts and terms

This topic describes OpenID Connect (OIDC) concepts and terms.

The main participants in the OIDC protocol and role of EAA IdP are:

  • End user. The end user is the entity for whom we are requesting identity information. In OAuth 2.0 this refers to the resource owner. One of the resources they own is their own identity.
  • Relying party (RP). The client application that supports OAuth 2.0 and relies on the OpenID provider to authenticate the end user and request claims about that user. In this case, it's the custom SaaS application or access application in EAA is the RP or client.
  • OpenID provider (OP). The OpenID provider is an OAuth 2.0 authorization server which offers authentication as a service. It ensures the end user is authenticated and provides claims about the end user and the authentication event to the relying party. The identity provider provides the relying party information about the end user through identity tokens. When you add the application in EAA, you configure EAA or the Akamai identity provider as the OP.
  • Different types of tokens are exchanged between the participants to verify the identity or provide access permissions.

    Tokens. Establishes a user’s identity during a transaction. These common token types are supported:
    • ID token. Similar to a ID card or passport, it contains many required attributes or claims about the user. It is a JSON web token (JWT) digitally signed using a JSON web signature for a high-level of security.
    • Access token. Gives permission to the client application to obtain end-user owned resources from a resource server. It is an opaque token that is validated by fetching user claims from userInfo endpoint.
  • The claims and scopes are used to supply the client application with consented user details. The scope and claim are defined when you configure the SaaS application or access application that supports OIDC in EAA.

    Scope. References a set of claims. It identifies what information is requested to authenticate the user. The scope and claim are defined when you configure the SaaS application or access application in EAA. These scopes are available for OIDC:
    • profile (includes attributes or claims such as name, nickname, family-name, and more)
    • email
    • address
    • phone
    • custom scope
  • Claim. A claim is a statement about the end-user and authentication event for the user. These are attributes that define the scope. For example, the profile scope contains claims such as name or nickname. You can configure a set of claims to identify the end user in EAA Akamai IdP that is delivered to the relying party.
  • Endpoints. The different endpoints or URI locations on the OP or RP that are used for OpenID protocol communication using REST methods are:
    • Discovery endpoint. OP endpoint that allows the client (SaaS application or access application) to discover OpenID features and other endpoints on the OP. This information is fixed at the location: https://<idp-hostname>/.well-known/openid-configuration, where <idp-hostname> is the hostname of OP. In this case, the OP is EAA or the Akamai identity provider.
    • Authorization endpoint. OP endpoint where the end user is asked to authenticate and grant the client application consent to access their identity and any other required information such as email or address. This extra information is called user info claims. Once consent is given, this endpoint passes back an authorization code. This is the endpoint in which the end user indirectly interacts with the identity provider through a user agent, for example a browser.
    • Token endpoint. OP endpoint where client application requests tokens and is authenticated. It also exchanges the authorization code from the authorization endpoint for an ID token, an access token, and optional refresh token. In EAA, the refresh token is for five minutes duration.
    • UserInfo endpoint. OP endpoint where client sends requests for identity claims. The userinfo-endpoint is an OAuth 2.0 protected resource that is used by the identity provider to return consented user information or claims to the client application, provided that a valid access token is presented. No client ID or secret is required at this endpoint.
    • Redirect endpoint. RP endpoint that is pre-registered or configured in EAA. This is where the OP sends authentication responses.
    • JSON web key (JWK) endpoint. This is a common endpoint present in both the OP and the RP. Here the JSON web keys that are necessary to decrypt and validate the ID token are published.