Configuring Support for OpenID Connect Request Objects

ActivID Appliance supports signed and/or encrypted OpenID request objects.

You need to configure the OpenID client with a ‘Signing certificate’ or/and ‘Encryption certificate’.

ActivID Appliance will then encrypt the ID Token and UserInfo responses.

For further information about Request Objects, go to http://openid.net/specs/openid-connect-core-1_0.html#RequestObject

Passing Request Parameters as JWTs

The OpenID client sends the Authorization Request to the authentication endpoint.

The following is a non-normative example of an Authorization Request using the request parameter:

Copy
https://[base-server-url]/{tenant}/authn/login?
 
    response_type=code
 
    &client_id=OpenID_admin
 
    &redirect_uri=http://localhost&scope=openid%20profile
 
    &request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ew0KICJpc3MiOiA
 
    iczZCaGRSa3F0MyIsDQogImF1ZCI6ICJodHRwczovL3NlcnZlci5leGFtcGxlLmN
    vbSIsDQogInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsDQogImNsaWV
    udF9pZCI6ICJzNkJoZFJrcXQzIiwNCiAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8
(…)
    jT_cMnNIznW9E7CDyWXTsO70xnB4SkG6pXfLSjLLlxmPGiyon_-Te111V8uE83Il
    zCYIb_NMXvtTIVc1jpspnTSD7xMbpL-2QgwUsAlMGzw

The request parameter is signed or/and encrypted as a request object (originally in clear text).

For example:

Copy
{
   "iss": "s6BhdRkqt3",
   "aud": "https://server.example.com",
   "response_type": "code",
   "client_id": "s6BhdRkqt3",
   "redirect_uri": "https://client.example.org/cb",
   "scope": "openid",
   "state": "af0ifjsldkj",
   "nonce": "n-0S6_WzA2Mj",
 }

Request Parameter Validation

The request object validation process is as follows:

  1. Decrypt the request object if it is encrypted (the request should be encrypted with the encryption certificate return by the jwks endpoint, identified by the enc key use).

  2. Get the client id from request object (decrypted), and then validate the id if the client is registered.

  3. If the request object is signed, get the signing certificate previously registered, to verify the signature.

  4. If the signature is verified, extract the claims from the request object.

These claims overwrite the parameters passed by HTTP query.

The error is redirected to redirectURI with the OpenID Error Object in the HTTP Response.

Copy

Sample error response

http://localhost/?error_description=Invalid+request+Invalid+client+s6BhdRkqt3&error=invalid_request

Signature and Encryption in Response

The ID Token, UserInfo Response, Request Object, and Client Authentication JWT values can use JSON Web Signature (JWS) to sign their contents in order to guarantee the integrity of the message and authenticate the originator of the message.

To achieve message confidentiality, these values can also use JSON Web Encryption (JWE) to encrypt their contents.

Endpoints which support encryption and signature are:

  • token endpoint - if an ID Token is included in the response (for example, when demanded by the "openid" scope), the ID Token is always signed by the ActivID Appliance signing certificate (which can be obtained from the jwks endpoint, identified by the sig key use), and, eventually encrypted by the client's encryption certificate with the configured algorithm (if an algorithm not configured, the response is not encrypted).
  • userInfo endpoint – the UserInfo Response is can be signed by the ActivID Appliance signing certificate (which can be obtained from the jwks endpoint, identified by the sig key use), and, eventually encrypted by the client's encryption certificate with the configured algorithm (if an algorithm not configured, the response is not encrypted).

It can also be unsigned.

The encrypting party MUST select an encryption algorithm based on the algorithms supported by the recipient. The recommended algorithm is RSA-OAEP-256.

Topics in this section: