An OIDC Resource Server is a server that hosts protected resources (such as APIs or user data) and uses OAuth 2.0 access tokens issued by the SURFconext OpenID Connect Provider to control access, verifying tokens through the standardized OAuth2 introspection mechanism, a process supported by many client libraries, while relying on the Provider’s tokens and claims for user identification and authorization rather than handling authentication itself.
If you want to see a live demo, please refer to our OpenID Connect playground application. More information on how to connect your Resource server using the SP Dashboard can be found here.
The flow works as follows
1) A regular relying party that is connected to SURFconext triggers a login request. The user will log in, and the relying party gets an access_token and id_token, simplified:
{
"access_token": "ABC123",
"token_type": "Bearer",
"id_token": "DEF456"
}
2) The Relying Party can now use the access_token to make an authenticated request to the API on behalf of the user
Such a request looks like this:
GET https://url.of.the.api/api/student/grades headers: "Authorization": "Bearer ABC123", "Accept": "application/json, application/json;charset=UTF-8"
3) The API receives that request, and verifies the access_token with the SURFconext OIDC server. This verification process is called "introspection". The API uses a username and password to identify itself, using basic authentication. The token is in the body of the POST.
POST https://connect.surfconext.nl/oidc/introspect
headers:
"Authorization": "aW50cm9zcGVjdDpzZWNyZXQK",
"Accept": "application/json, application/json;charset=UTF-8"
"Body":
{
token: ABC123
}
4) The introspect endpoint will answer with a JSON document with information on the access_token and additional claims of the user.
{
"active": true
"authenticating_authority": "https://idp.instition.nl",
"client_id": "playground_client",
"email": "testuser@universityofharderwijk.nl",
"exp": 1574703028,
"family_name": "Testuser",
"given_name": "Test",
"iss": "https://connect.surfconext.nl",
"schac_home_organization": "universityofharderwijk.nl",
"scope": "openid",
"sub": "01cafaaa7bc2dd124f45487fbcc740ec3ea6f54",
"token_type": "Bearer",
"updated_at": 1574695827
The SURFconext OpenID connect endpoint supports properties with information of the access_token, and gives back claims
| Property | Explanation |
|---|---|
| active | Boolean, indicates the validity of the access_token |
authenticating_authority | SchacHomeOrganization of the IdP that authenticated the user |
| client_id | The client_id of the Client that requested the access_token |
| exp | Unix timestamp indicating the expiration date of the access_token |
| iss | The issuer of the access_token |
| scope | List of scopes of this access_token |
| sub | The subject of the user. Matches the subject of the id_token |
| token_type | Token type |
| updated_at | Last time the token was updated, is in our case always the unix timestamp when the token was issued |
The rest of the token consists of claims. See this page for more information on the OpenID Connect claims supplied by SURFconext.
Overview
Content Tools