The end user is the person who uses OpenID Connect compatible applications. It is to whom the authentication requests to connect to the applications, as well as requests for consent to access their personal data, are presented.
Subscribe : why so much data to fill ?
OAuth Server by DnC is a system that allows application owners to gain reasonably high confidence in the identity of users before granting them access. This is a security for owners of personal data located on resources protected by OAuth Server by DnC. It is also a security for any user of the applications to which they have connected using this server, which helps to prevent a malicious actor from replacing them.
What do you do with my data ?
First of all, you will notice that the requested data is oriented towards the identification of a legal entity (and not necessarily an individual) as well as its presence on the web.
These data are only used for automatic or visual checks (based on information available to the public on the web) of the user’s digital identity, do not leave the server, and, a fortiori, are not communicated to some thirds.
Note that OAuthSD server are private : they are owned and maintained by private companies you agreed to work with. Their interest is to make a good job for you, not to sell your data to others or let it leak outside.
Login : why am I being asked for my e-mail instead of a nickname ?
E-mail is used as login in the authentication procedure, concurrently with a password.
E-mail is required to validate the registration, and can be used later by the authentication server for example for a forgotten password recovery procedure.
We think there is little chance that you will forget your e-mail. Moreover, an e-mail is a unique identifier, unlike a pseudonym.
Your e-mail will not be communicated to client applications or any third party, it remains secret within the authentication server.
What is an OpenID Connect account ?
The fact to register once on the server and to use this account on many applications is called "single Sign On" (SSO).
In some corporation the registration may be made in advance by the administrator.
What the is the difference between "authenticated" and "connected" ?
Before you were confronted to OIDC, you were used to "connect" to an application. You were following a login/password dialog (inside the application) leading you to be "connected". One’s also said the application was "connected" to you.
With OIDC, the login dialog is made by the server (outside the application). You are "authenticated" at the OIDC server. It results on the application being "connected".
You may use this authentication to connect other applications.
What is the difference between "authenticate" and "re-authenticate" ?
When you authenticate on a particular user-agent, this user-agent receives a "SLI cookie" from the server. As long as this cookie is valid, you will re-authenticate : in most situation you will be authenticated seamlessly.
This includes connect an other application seamlessly. It is "Single Login In" (SLI). Most of the time, SLI is mentally included in SSO, but it is not the same and not all OIDC servers do SSO natively like OAuthSD does.
That’s the great job OAuthSD does for You !
What might require me to authenticate again ?
There are many circumstances in which, without OAuthSD, you would have to identify yourself several times during the same day (the usual login and password procedure) :
at the end of the session of your application,
after a loss of network connection or Internet,
after a restart of your workstation,
after a sudden shutdown and restart the application etc.
With OAuthSD, as long as the SLI cookie is valid, you re-authenticate yourself seemlessly. You can even launch new applications and be automatically connected.
However, you will need to authenticate again when the SLI cookie is no longer valid. Obviously, this is the case after you have closed the OIDC Connect session.
This can also happen if you quit your work for a long time without closing the OIDC Connect session (bad habit !), otherwise you will be notified of the imminent end of the session and can extend it.
There are also cases of session destruction that will require a new authentication.
Of course, you will have to authenticate again if you change your browser or workstation (the SLI cookie is only valid for one user-agent).
Where from may I connect, and what means " inside the Corporate Realm" ?
It is a good practice for companies to geographically restrict access to all or part of their intranet, from the Internet, or to establish special procedures to connect from outside of these areas.
The definition of a Corporate Realm includes the areas from which you will be able to authenticate with the OIDC server. We will say you are "inside the Corporate Realm" to say you are in situation to reach a particular OIDC server.
Please note that the definition of the Corporate Realm depends on the network configuration (routers and firewalls) made by the administrator. It is not a service of OAuthSD server.
In all the rest of this document, we suppose you are "inside the Corporate Realm".
What are client applications ?
Client application are thoose registered on an OIDC server, thus capable of delegating your authentication to it.
In the rest of the document, "application" designate a client application registered on the OIDC server of the considered Corporate Realm.
What is "user-agent" and what means "same user-agent’ ?
Most of the time, the term "user agent" designate your browser.
"Same user agent" means the same browser opened on the same workstation. It may be opened in multiple tabs or duplicated on multiple windows. But neither with different type of browser (eg. Chrome versus Firefox) nor different workstations.
Some applications running on your workstation may act as user-agent. Technically, "same user-agent" means that the different user-agents (browser instances and local applications) share the same cookies, thus being included in the same OIDC session.
Dealing with OpenID Connect session
What is an OpenID Connect session ?
An OIDC session is established at server at first time of the day you authenticate.
This session will typically last several hours, and may be extended if you keep on working. During that time, you will be able to connect with other applications without need to authenticate again.
How I see the OpenID session status ?
OpenID Connect session is "opened at server" if the OIDC label is green.
If the OIDC label is orange or red, OpenID Connect Session may be opened at server (you logged in before with the same OIDC account). The application not yet been connected with your OIDC account. Just try.
You may click on the blue label to get a popup with more information.
What means OIDC session was / will be destroyed ?
OIDC session is destroyed when all references to this session are erased from server and all OIDC cookies erased from the user-agent. You will have to authenticate again (not re-authenticate) to start a new session.
When may OIDC session be destroyed ?
when you explicitly "disconnect all your applications",
when OIDC sessions ends at server,
if you go off-track,
in some case of security risk.
May I open several OIDC sessions on different workstations with the same account ?
Yes (in the Corporate Realm).
You will have to authenticate again.
May I open several OIDC sessions on different browsers / workstations ?
With different OIDC account, inside the corporate realm : Yes.
But if you try to use different account from the same user-agent, the first one will be destroyed, leading to unexpected errors.
It makes sense : Single Sign On (SSO) means that a person uses only one account. Different people will use different accounts on different workstations.
May different persons use the same account ?
Yes. It is the same than one person going to a different workstation. As long as the authentication information is the same, OIDC doesn’t makes the difference.
It remains true unless there is biometric recognition at the workstations.
What means exactly "Close the OIDC Connect session" ?
When you explicitly close the OpenID Connect session from any user agent on a workstation, the user’s session will be permanently closed on the server (the OIDC session is destroyed). This will quickly disconnect all applications from that user (the SLI cookie for that user will be destroyed on all the user-agents with which they have logged in).
We also speak of "global disconnection" as opposed to the "local disconnection" of one application.
If I log out of an app, is there a closing of the OIDC (Global Logout) session ?
No.
Disconnecting the application (local logout) does not terminate the session.
The SLI mechanism will cause the application to automatically re-authenticate itself as soon as you use it and need to be authenticated again (if the session has not expired in the meantime).
Applications specially developed to delegate authentication to OpenID Connect should hide the possibility of local disconnection.
I have left my office with OIDC sessions still opened
OIDC sessions will ends at server and all connected applications will be disconected. But it may take a while, typically hours.
Just take your smartphone, connect to any application (registered on your OIDC server), authenticate with your OIDC account and explicitly disconnect. The session will be destroyed, thus all applications being disconnected.
However, please note that some companies may opt to prohibit access from outside, or establish specials procedures to connect from outside.
I have an OpenID identifier, can I use it ?
This is a common confusion : OpenID and OpenID Connect is not the same thing !
An OpenID identifier is used to identify you.
As part of OIDC, different methods of identification can be used, at the discretion of developers and administrators of client applications. The identification with the OpenID identifier could be one of them.
Ok, but what is the advantage of using Openid Connect over OpenID ?
Using OpenID (or some others) for SSO allows you to identify yourself. OpenID Connect also identifies the application with which you are connecting and give it an authorisation.
This is very important because the intrusions are not only made by malicious people who impersonate your identity, but also by means of a malware that pretends to be the correct application.
OpenID Connect identifies the user, the application, and additionally adds an authorization scope. These three data are in a tamper-proof way linked by means of the JWT token.
Personna, MyOpenID have closed, OpenID seems outdated, so why OAuthSD ?
These systems were not based on OAuth 2.0 and did not use the OpenID Connect protocol, which are currently widely used solutions because they offer the expected level of security.
In addition, we hope that the extended features of OAuthSD will seduce you.