keycloak-scim/server_admin/topics/sso-protocols/con-oidc.adoc

[id="con-oidc_{context}"]

=== OpenID Connect
[role="_abstract"]
link:https://openid.net/connect/[OpenID Connect] (OIDC) is an authentication protocol that is an extension of link:https://datatracker.ietf.org/doc/html/rfc6749[OAuth 2.0].

OAuth 2.0 is a framework for building authorization protocols and is incomplete. OIDC, however, is a full authentication and authorization protocol that uses the link:https://jwt.io[Json Web Token] (JWT) standards.  The JWT standards define an identity token JSON format and methods to digitally sign and encrypt data in a compact and web-friendly way.

In general, OIDC implements two use cases. The first case is an application requesting that a  {project_name} server authenticates a user. Upon successful login, the application receives an _identity token_ and an _access token_.
The _identity token_ contains user information including user name, email, and profile information. The realm digitally signs the _access token_ which contains access information (such as user role mappings) that applications use to determine the resources users can access in the application.

The second use case is a client accessing remote services.

* The client requests an _access token_ from {project_name} to invoke on remote services on behalf of the user.
* {project_name} authenticates the user and asks the user for consent to grant access to the requesting client.
* The client receives the _access token_ which is digitally signed by the realm.
* The client makes REST requests on remote services using the _access token_.
* The remote REST service extracts the _access token_.
* The remote REST service verifies the tokens signature.
* The remote REST service decides, based on access information within the token, to process or reject the request.
KEYCLOAK-16234 initial commit (#41) * Fix Users TOC * KEYCLOAK-16234 initial commit * Modularization * messing * removes duplicate module calls * Post feedback changes Co-authored-by: Andy Munro <amunro@redhat.com> 2020-12-16 17:20:41 +00:00			`[id="con-oidc_{context}"]`

			`=== OpenID Connect`
			`[role="_abstract"]`
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`link:https://openid.net/connect/[OpenID Connect] (OIDC) is an authentication protocol that is an extension of link:https://datatracker.ietf.org/doc/html/rfc6749[OAuth 2.0].`
KEYCLOAK-16234 initial commit (#41) * Fix Users TOC * KEYCLOAK-16234 initial commit * Modularization * messing * removes duplicate module calls * Post feedback changes Co-authored-by: Andy Munro <amunro@redhat.com> 2020-12-16 17:20:41 +00:00
			`OAuth 2.0 is a framework for building authorization protocols and is incomplete. OIDC, however, is a full authentication and authorization protocol that uses the link:https://jwt.io[Json Web Token] (JWT) standards. The JWT standards define an identity token JSON format and methods to digitally sign and encrypt data in a compact and web-friendly way.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`In general, OIDC implements two use cases. The first case is an application requesting that a {project_name} server authenticates a user. Upon successful login, the application receives an _identity token_ and an _access token_.`
KEYCLOAK-16234 initial commit (#41) * Fix Users TOC * KEYCLOAK-16234 initial commit * Modularization * messing * removes duplicate module calls * Post feedback changes Co-authored-by: Andy Munro <amunro@redhat.com> 2020-12-16 17:20:41 +00:00			`The _identity token_ contains user information including user name, email, and profile information. The realm digitally signs the _access token_ which contains access information (such as user role mappings) that applications use to determine the resources users can access in the application.`

admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`The second use case is a client accessing remote services.`
KEYCLOAK-16234 initial commit (#41) * Fix Users TOC * KEYCLOAK-16234 initial commit * Modularization * messing * removes duplicate module calls * Post feedback changes Co-authored-by: Andy Munro <amunro@redhat.com> 2020-12-16 17:20:41 +00:00
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`* The client requests an _access token_ from {project_name} to invoke on remote services on behalf of the user.`
KEYCLOAK-16234 initial commit (#41) * Fix Users TOC * KEYCLOAK-16234 initial commit * Modularization * messing * removes duplicate module calls * Post feedback changes Co-authored-by: Andy Munro <amunro@redhat.com> 2020-12-16 17:20:41 +00:00			`* {project_name} authenticates the user and asks the user for consent to grant access to the requesting client.`
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`* The client receives the _access token_ which is digitally signed by the realm.`
			`* The client makes REST requests on remote services using the _access token_.`
KEYCLOAK-16234 initial commit (#41) * Fix Users TOC * KEYCLOAK-16234 initial commit * Modularization * messing * removes duplicate module calls * Post feedback changes Co-authored-by: Andy Munro <amunro@redhat.com> 2020-12-16 17:20:41 +00:00			`* The remote REST service extracts the _access token_.`
			`* The remote REST service verifies the tokens signature.`
			`* The remote REST service decides, based on access information within the token, to process or reject the request.`