OpenID Connect performs authentication to log in the End-User. OpenID Connect returns the result of the Authentication performed by the Server to the Client in a secure manner so that the Client can rely on it.
The Authorization Endpoint performs Authentication of the End-User. This is done by sending the User Agent to B-fy’s Authorization Endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and additional parameters and parameter values defined by OpenID Connect.
AUTHORIZATION REQUEST
An Authentication Request asks B-fy's Authorization Server to authenticate the End-User using the OAuth 2.0 protocol. If the request is valid, B-FY attempts to Authenticate the End-User or determines whether the End-User is authenticated, depending upon the request parameter values used. An Authentication user interface may be displayed by the Authorization Server, depending upon the request parameter values used and the authentication methods used.
Theseare the required and recommended request parameters that are encoded in the URI query:
- client_id-The client identifier of the in the connection with the B-FY systems. This client will be created by B-FY and give to the client to use it in the connection to the server.
- redirect_uri-The client call-back URI for the authentication response. This parameter will be defined by the client to B-FY, is where our system will call to the client system when the biometrical identification ends, and B-FY will provide the issuer data to the client system.
- state-Value set by the client to keep the security state between the request and the call-back. It shall be generated by the client randomly and using a different one in each identification flow (for each new identification request). It will be used by the client in the initiation request and validated by the client in the B-FY server response.
- response_type-Set to “code” to indicate an authorization code flow.
- scope-Used to specify the scope of the requested authorisation in OAuth. Here the client define what kind of data wants from the user. A list of standard claims can be found here:https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
Optionally, userdata can be askedindividually:
- Claims-ThisparameterisusedtorequestthatspecificClaims be returned. Thevalueis a JSON objectlistingtherequestedClaims.https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
In this example we will use:
Clientid- “biocryptology”
Scope – “openid”
State – “170894”
redirect_uri- “https://client.example.org/cb”
response_type- “code”
[SCOPE] -> receives the authorization code
[CLAIMS] -> using a user claims Json to receive only the requested values.
OpenIDspecreference: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest