Home > OpenID Connect OAuth Server by DnC

OAuth Server by DnC (OAuthSD) is an authentication server that implements OAuth 2.0 et OpenID Connect.

Secure data access with OpenID Connect

With the Single Sign On (SSO), an entity allows users of its applications to seamlessly navigate from one to the other. But even more:

By centralizing the authentication of applications and users, an OpenID Connect server makes it possible to perfectly control access to sensitive information.

In practice : "Authorization Code Grant"

When an application needs to authenticate user (for example to access protected resources), it will contact the OpenID Connect server. The latter identifies the application by exchanging with it an authorization code.
The server identifies the user of the application and determines its rights on this application. The user gives his consent to authorize the application to use all or part of his personal data.

This results in an authentication, binding the user and his personal data, the application and the rights of the user on the application (or vice versa) into a tamper-proof and transmissible object called Identity Token ( IDToken ).

The application then uses the Identity Token to access protected resources and obtain or modify data based on the rights of the user.

Different flows for different configurations

All application, server, and resource configurations do not provide the same level of security, especially for authenticating the application.

For optimal security, the application should be of "web" type and implement the Authorization Code Grant.

However, OpenID Connect can meet different needs, especially for mobile applications, with different Grant Types.

Supervision: organizing the configuration of the rights

In a large entity, with several thousand end-users (both staff and customers) and a large number of applications, it will not be possible to centralize the management of individual rights in relation to applications because they will be distributed users and applications among members of the entity.
A specific application will have to delegate the configuration of rights to the local level. Such an application is not part of the OpenID Connect specification. OAuthSD offers external applications the means to manipulate the data of the server through a HTTP API REST + TreeQL whose access is secured with ... OAuthSD.

Using an existing identification system: LDAP etc.

An organization implementing an identification system already has the means to manage users and their profile. OAuthSD allows the integration of third-party identification systems, whether standard such as LADP and Active Directory (Kerberos) or organization-specific (ID card, biometric identification ...).

In this case, the HTTP REST API makes it possible to automatically integrate this data by the authentication server. The result is a configuration in which the authentication server delegates the user’s identification to an Identity Provider.

The OpenID Foundation: standardization and certification

The OpenID Connect standard is coordinated by the largest IT companies within the OpenID Foundation. An abundant documentation provides the technical framework for the development of an authentication server (called "OpenID Connect Provider" or OP).
A battery of tests, made available by the foundation, allows the OAuthSD server to obtain the OpenID Connect Certification. This ensures that the authentication server conforms to the current state of the standard. A server should be updated and regularly tested.

What implications for client applications?

"Client" applications must be able to delegate user authentication to the OIDC server. More and more applications offer this possibility in accordance with the OpenID Connect standard.
When this is not the case, a special development is needed to adapt the application. This usually involves substituting an OIDC module for the code of the classical connection. Adaptation is therefore particularly easy in the context of a new development or an "open source" application.

DnC supports you

DnC supports you in your OpenID Connect project to implement your own OAuthSD authentication server. Our vertical mastery of the subject allows us to assist the developers as well as the project managers and the project owner.

DnC is an independent company guided by the consultant’s ethics. By entrusting us with the building of your own authentication server, you can rest assured that your customers’ browsing will not be exploited for adverse advertising purposes. You can also avail yourself of a policy of protection of their personal data.

Latest articles :

SLI, SLO and SRA are in a boat: OAuthSD


As part of OpenID Connect flows, in addition to the Single Sign On (SSO) function, the OAuthSD server implements the Single Login Identification (SLI) function, the Single Login Out (SLO). as well as Silent Re-Authentication (SRA) . This without modifying the application interface code with OIDC, all being taken into account at the authorize controller.
The OAuthSD server code can be set to implement (or not) the SLI. Single Disconnect (SLO) and Silent Re-Authentication (SRA) are derived (...)


Monitoring the state of authentication and Single Log Out (SLO)


The purpose of the authentication status monitoring is to synchronize the local connection of an application with the corresponding access token. Introduction
OAuthSD, following OAuth 2.0, considers that the end user is connected to an application as long as the associated access token is valid.
There is no "naturally" direct relationship between this token and the local connection state of an application. Each application will have to set up a monitoring, client side, in order to: (...)


More about Introspection


In the absence of a stable standard, the Brent Shaffer’s oauth2-server-php library lacks an Introspection Endpoint.
OAuthSD, like many Authorization Servers, implements its own OpenID Connect Introspection controller. It has been developed "above" the library.
What could be a "minimal and compatible implementation" of the Introspection Controller for the library? Before going into coding, let’s examine the RFC 7662 OAuth 2.0 Token Introspection Draft.
About the necessity for the Resource (...)


| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |

Site Map :