ActivID Appliance supports signed and/or encrypted OpenID request objects.
You need to configure the OpenID client with a ‘Signing certificate’ or/and ‘Encryption certificate’.
ActivID Appliance will then encrypt the ID Token and UserInfo responses.
For further information about Request Objects, go to http://openid.net/specs/openid-connect-core-1_0.html#RequestObject
Passing Request Parameters as JWTs
The OpenID client sends the Authorization Request to the authentication endpoint.
The following is a non-normative example of an Authorization Request using the request parameter:
https://[base-server-url]/{tenant}/authn/login?
response_type=code
&client_id=OpenID_admin
&redirect_uri=http://localhost&scope=openid%20profile
&request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ew0KICJpc3MiOiA
iczZCaGRSa3F0MyIsDQogImF1ZCI6ICJodHRwczovL3NlcnZlci5leGFtcGxlLmN
vbSIsDQogInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsDQogImNsaWV
udF9pZCI6ICJzNkJoZFJrcXQzIiwNCiAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8
(…)
jT_cMnNIznW9E7CDyWXTsO70xnB4SkG6pXfLSjLLlxmPGiyon_-Te111V8uE83Il
zCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzwThe request parameter is signed or/and encrypted as a request object (originally in clear text).
For example:
{
"iss": "s6BhdRkqt3",
"aud": "https://server.example.com",
"response_type": "code",
"client_id": "s6BhdRkqt3",
"redirect_uri": "https://client.example.org/cb",
"scope": "openid",
"state": "af0ifjsldkj",
"nonce": "n-0S6_WzA2Mj",
}Request Parameter Validation
The request object validation process is as follows:
-
Decrypt the request object if it is encrypted (the request should be encrypted with the encryption certificate return by the jwks endpoint, identified by the enc key use).
-
Get the client id from request object (decrypted), and then validate the id if the client is registered.
-
If the request object is signed, get the signing certificate previously registered, to verify the signature.
-
If the signature is verified, extract the claims from the request object.
These claims overwrite the parameters passed by HTTP query.
The error is redirected to redirectURI with the OpenID Error Object in the HTTP Response.
Sample error response
http://localhost/?error_description=Invalid+request+Invalid+client+s6BhdRkqt3&error=invalid_requestSignature and Encryption in Response
The ID Token, UserInfo Response, Request Object, and Client Authentication JWT values can use JSON Web Signature (JWS) to sign their contents in order to guarantee the integrity of the message and authenticate the originator of the message.
To achieve message confidentiality, these values can also use JSON Web Encryption (JWE) to encrypt their contents.
Endpoints which support encryption and signature are:
- token endpoint - if an ID Token is included in the response (for example, when demanded by the "openid" scope), the ID Token is always signed by the ActivID Appliance signing certificate (which can be obtained from the jwks endpoint, identified by the sig key use), and, eventually encrypted by the client's encryption certificate with the configured algorithm (if an algorithm not configured, the response is not encrypted).
- userInfo endpoint – the UserInfo Response is can be signed by the ActivID Appliance signing certificate (which can be obtained from the jwks endpoint, identified by the sig key use), and, eventually encrypted by the client's encryption certificate with the configured algorithm (if an algorithm not configured, the response is not encrypted).
It can also be unsigned.
The encrypting party MUST select an encryption algorithm based on the algorithms supported by the recipient. The recommended algorithm is RSA-OAEP-256.
Topics in this section:
