OpenId Connect (OIDC) is an identity layer built on top of the OAuth2 protocol.

When a user authentication is required the client application initiates one of OIDC Core flows and redirects this user to OIDC provider. The user gets redirected back to the client after the authentication, with the client application receiving IdToken. If Authorization Code Flow is used then IdToken is returned as part of the follow up code to access token exchange, and if Implicit Flow is used then IdToken is returned immediately.  It is very much like OAuth2 except that an extra IdToken parameter is returned.

Fediz OIDC provides an implementation of OIDC Core by integrating CXF OIDC IDP with Fediz Authentication System.

It is available starting from Fediz 1.3.0 and is a work in progress. 

Please review CXF OIDC IDP, CXF OAuth2 and CXF JOSE to get a better understanding of how Fediz OIDC has been implemented.

User Authentication

Fediz OIDC is currently implemented as a Fediz WS-Federation RP web application. When Fediz OIDC is accessed by a user, Fediz WS-Fed Authenticator will redirect a user to Fediz WS-Fed IDP to complete the authentication process. The fact WS-Fed is used during this process is transparent to the user. Note Fediz OIDC itself is completely agnostic to the way the authentication is done - all it needs is for Fediz to provide it an authenticated principal for it to support its OIDC flows.

Future major Fediz releases will optimize and improve this process by bringing  Fediz OIDC much closer to the core Fediz Authentication System thus avoiding an internal WS-Fed flow completely.

Trusted Providers

Fediz provides a comprehensive support for delegating the user authentication to trusted providers. Such providers can support SAML, WS-Fed or OpenId Connect protocols. Thus Fediz OIDC users can be authenticated locally or redirected further to registered authentication providers. This is achieved by assigning home realms to Fediz OIDC client registrations. 

Client Registration

OIDC client applications can be registered with ClientRegistrationService. At the moment one can register confidential or public clients, set redirect URIs and restrict the clients with audience URIs.

OIDC Services

Effectively Fediz OIDC is a complete OAuth2 server which supports all standard OIDC Core flows. It has JAX-RS service endpoints for supporting Authorization Code, Implicit and Hybrid flows and all OIDC response types

Services for supporting UserInfo requests and returning IdToken signature verification keys are also enabled. 

OAuth2 AccessTokenService is also required to complete Authorization Code or Hybrid flows.

Note even though Fediz OIDC is an OpenId Connect server, the availability of OAuth2 AccessTokenService allows for supporting of non-OIDC OAuth2 grants such as Client Credentials or other custom grants.

To provide all these service endpoints Fediz OIDC simply registers OIDC Services implemented by CXF OIDC in this context.


IdToken is populated in this SubjectCreator where an existing SAML assertion representing an authenticated user is converted to IdToken. The token is signed at the moment it is returned to the client, either in OAuth2 IdTokenResponseFilter (used by AccessTokenService) or in OidcImplicitService.

Data Persistence

Fediz OIDC needs to persist client registrations, user subjects, grants, access token and refresh tokens. Currently it uses CXF DefaultEHCacheCodeDataProvider and as such it does not have its own code for managing the data persistence.


Drop fediz-oidc.war into a Tomcat container hosting the core Fediz IDP service. 




  • No labels