Singpass login has become the de-facto option for authentication for Singapore residents. Given the ease at which a user can authenticate with Singpass, it is the obvious choice when presented with multiple login options on a site. Singpass uses a protocol called OpenID Connect(OIDC) to achieve this seamless and secure authentication session with our applications.
How exactly does your application use OIDC to authenticate you?
The OpenID Connect protocol (OIDC), is an identity protocol that builds upon the mechanisms of OAuth 2.0. OAuth 2.0 provides a resilient foundation that allows you to securely transmit JSON Web Tokens (JWT) containing your details over the internet using signatures (JSON Web Signature – JWS) and encryption (JSON Web Encryption – JWE). To provide reliable authentication, the OIDC protocol defines the attributes that should be within the JWT to identify the authenticated user as well as making it mandatory for it to be a JWS to be able to verify the source of the authentication.
How does OpenID Connect Work?
Before diving into the details, let’s familiarise ourselves with a few key terms:
OpenID Provider (OP) or Identity Provider (IdP): A system that creates, maintains, and manages identity information and also provides authentication services to relying applications.
Relying Party: An application or website that outsources its user authentication function to an IDP.
Identity Token (ID token): It contains at a bare minimum an identifier for the user and information about how and when the user authenticated.
OpenID Connect provides three types of flows for authenticating users – implicit flow, authorisation code flow and a hybrid flow
Implicit Flow: The ID token is returned directly to the application’s front end through the redirect URI.
Authorisation Code Flow: The ID token is not returned directly, applications are given an authorisation code that can be consumed to retrieve the ID token from a backend server.
Hybrid Flow: The ID token is returned directly to the application’s front end through the redirect URI along with an authorisation code.
Out of these, authorisation code flow is the most secure implication.
So how does the authorisation code flow work?
- User lands on a page that requires them to login before they can view resources – the user clicks on the “LOGIN” button.
- The relying party redirects to the identity provider (eg. Singpass), specifying where the user should be redirected to after authentication along with other parameters relevant to the OIDC protocol
- The user performs authentication on the identity provider page
- If the login is successful, the identity provider redirects to the relying party along with an authorisation code
- The relying party sends the authorisation code through a back channel to the identity provider’s server and receives an ID token in exchange.
- The relying party validates the ID token and retrieves the user’s details from the token.
What is the benefit of using the OIDC Protocol?
- SSO
The OIDC protocol allows applications to integrate with an identity provider and perform single sign-on. This enhances the user’s experience, allowing them to log in once and access the different applications supported within the SSO session.
- Widely adopted and Standardized
It allows applications that support OIDC to be interoperable and easily integrated into various identity providers. Being a widely adopted standard, many libraries are available in various technologies that further simplify the integration.
- Security
The standard ensures that the credentials the application receives can be verified with the use of signatures to ensure that the source of the identity is legitimate. Additionally, it provides relying parties and identity providers the option to encrypt users’ credentials so that they will be secure in transit.
Conclusion
OpenID Connect enables businesses to build more secure, user-friendly applications that leverage modern authentication standards. Whether you’re building server-side applications, single-page applications, or complex hybrid systems, OpenID Connect provides the flexibility and security needed to manage user identities effectively.
Follow us on LinkedIn for the latest happenings/updates.