Support of OAuth 2.0/OpenID Connect Specifications

The following sections reference which sections of the OpenID Connect and OAuth 2.0 specifications are supported by HID Authentication Service.

Supported Response Types

The HID Authentication Service server’s authentication endpoint supports the Authorization Code Flow (defined in the OpenID Connect Core specifications - section 3.1) and Hybrid Flow (defined in the OpenID Connect Core specifications - section 3.3) with the following response types:

  • code
  • code id_token
  • id_token

It does NOT support the following response types that are associated with the implicit and hybrid flows:

  • id_token token
  • code token
  • code id_token token

Supported Grant Types

The HID Authentication Service server supports most of the core OAuth 2.0 grant types and also some HID specific ones. The server can be configured to accept only a subset of these, either for the entire provider or on a per client basis.

The following grant types are supported:

  • Proprietary grant types:

    • Client secret PKI (urn:hid:oauth:grant-type:client-secret-pki) – the client authenticates itself via a mutual TLS (mTLS) authentication connection to the token endpoint with the client certificate which is registered as a HID Authentication Service PKI credential during registration.

    • OTP via API (api_otp) - get an OTP (returned in the response) that you can then send to a user

    • CIBA delete request (ciba_delete) - to delete a pending push request

For further information, see OpenID Authentication Flows.

OpenID Connect Authentication Request Parameters

The HID Authentication Service server supports the following authentication request parameters that are mandatory for OpenID Connect providers.

  • Supported OAuth 2.0 parameters:

    • response_type

    • client_id

    • scope

    • redirect_uri

    • state

    • request
  • Supported OpenID Connect parameters:

    • nonce

    • max_age

    • login_hint

    • acr_values

    • code_challenge

    • prompt

    • id_token_hint

    • request_uri

Supported Client Authentication Methods

The HID Authentication Service server supports the following standard client authentication methods that are based on a provider-issued client secret:

  • client_secret_basic – basic HTTP authentication with client secret (static password, OTP, activation code, etc) where the parameters are sent in the Authorization header as base64-encoded string

    It is the least secure method.

  • client_secret_post – basic HTTP authentication with client secret where the parameters are sent in the request body as form parameters

  • private_key_jwt – authentication with JWT signed with client private key

The HID Authentication Service server supports TLS mutual authentication as a client authentication method:

  • [HID Custom] client_secret_pki – authentication via server validating the client PKI certificate on the TLS connection
    (This is the HID custom method, for legacy use.)

  • tls_client_auth - authentication via server with mutual TLS by associating the PKI certificate to a client

  • self_signed_tls_client_auth – authentication via server validating the client PKI certificate on the TLS connection

Supported ID Token Algorithms

The HID Authentication Service server supports JSON Web Signature (JWS) protected ID Tokens:

  • RS256 – the ID Token is signed with the provider’s RSA JWK

Supported Claim Types

The HID Authentication Service server issues normal claims. Aggregated and distributes claims, asserted by a claims provider other than the OpenID provider, are NOT supported.

SCIM API Access

When accessing the SCIM endpoint, the client should use the access token issued in the response from the HID Authentication Service as its authorization to access the SCIM endpoint.

OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. Use of this extension is requested by Clients when including the openid scope value in the Authorization Request. Information about the authentication performed is returned in a JSON Web Token (JWT).

OpenID Connect defines the following metadata:

  • Discovery metadata indicating the availability of a SCIM protocol base endpoint.
  • Dynamic registration metadata that is used to indicate a client’s intent to use the SCIM API and its associated endpoints.
  • An additional ID Token claim which specifies the SCIM resource endpoint and identifier associated with the authenticated subject.

Offline Access

The HID Authentication Service server supports offline access, that is, the exchange of valid refresh tokens for new access, optionally id, and refresh tokens between the client application and the IdP without the user being prompted.