OIDC : OpenID Connect
OpenID Connect is an authentication protocol based on OAuth2.0 authorization protocol. There are three main implementation for OIDC. There are:
OIDC Dynamic client registration
According to the above diagram OIDC Core is the minimal requirement for OIDC protocol. This proposal is based on the implementation of the OIDC Core(Basic and Implicit profiles)
OIDC Basic Components
There are three participants that engage in OIDC message passing.
End user - End user is same as the OAuth2.0 resource owner who is requested for identity information.
Relying Party(RP) - Relying Party is same as the OAuth2.0 client requiring End-User Authentication and Claims from an OpenID Provider.
OpenID Provider(OP) - OpenID provider is same as the OAuth2.0 Authorization Server that is capable of authenticating the End-User and providing claims to a Relying Party about the Authentication event and the End-User.
Another key concept is ID_Token. ID_Token is like an identity card. Using this token, client can get some claims about the end user. This is represented as a JSON web token (JWT).
There are three main endpoints that are used for user delegation.
Authorization Endpoint - This is the endpoint in OP, where user is authenticated.
Token Endpoint - This is the end point used to generate an ID_Token and access token from the code generated at authorization endpoint for the client.
Userinfo Endpoint - From this endpoint user informations or claims are sent to the client. For this a valid access token must be provided to the OP.
OIDC Request Flow
The below diagram illustrates the high level request passing that happens in OIDC.
First the RP will send an authentication request for the OpenID Provider(OP). Then OP will redirect the end-user to an authentication page. Then OP will authenticate the end-user and will obtain authorization. OP will send an access token and ID token to the RP. RP can send back the access token to OP’s userinfo endpoint and request user claims. Then OP can provide user claims back to RP.
There are three main flows in OIDC to request tokens.
Authorization code (Basic)
This proposal only explains the implementation of first two flows.
Sequence Diagram : OIDC Basic Flow
For the every request and response made in this flow there should be request and response validations. For the implementation , ,  must be used.
Sequence Diagram : Implicit Flow
Researching and ground work
Gather required knowledge to proceed
Understanding Sling Authentication implementation
Designing the architecture for Sling OIDC implementation
Obtaining configuration information about the OpenID Provider using Discovery flow.
Preparing an Authentication Request containing the desired request parameters
Sending the request to the Authorization Server
Mid Evaluations 1
Access Token and ID Token
Sending the code to the Token Endpoint to receive an Access Token and ID Token in the response.
Validating the tokens and retrieves the End-User's Subject Identifier.
Mid Evaluations 2
Authenticated user information
Send the access token to userinfo endpoint.
Store users and claims
Improve code quality
OIDC documentation for Sling
Finalizing and submitting
Project End Deliverables
Following are identified as end deliverables for the proposed project.
Implementing OIDC authentication handler for Apache Sling
Require Access Token and ID Token from OpenID Provider
Get authenticated users.
Save user claims.
Name : Hasini Dilanka Witharana
Github : https://github.com/hasinidilanka
University : University of Moratuwa, Sri Lanka
Field of Study: Computer Science and Engineering.
I am Hasini Witharana, final year undergraduate of University of Moratuwa. Within the past few years I have been engaged in several academic and non-academic projects. During my internship, I worked on a project related to OpenID Connect. My task was to get the OIDC certification for an Identity server. That project helped me a lot to understand the OIDC specifications and implementations. I engaged with OIDC community to clear the doubts about the implementations as well.
I believe this project will be a perfect opportunity for me to get familiarized more with OpenID Connect while implementing an authentication handler of Apache Sling.
 - https://oauth.net/2/